'Microsoft.Authorization/roleAssignments' scope to refer Storage Account from different resource group

0
votes

I am Creating an Azure SQL Server using Azure ARM template. The 'auditingSettings' configuration requires permission from SQL Server's identity over Azure storage account (different resource group). I am using the below sample code to grant permission. However, the template deployment fails, indicating that the Storage account is not found where the SQL Server is deployed, which is true.

So, How do I LINK (refer) a Storage account which is present in different resource group under the SCOPE of 'Microsoft.Authorization/roleAssignments'

Template snip:

"type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-04-01-preview",
      "name": "[parameters('roleNameGuid')]",
      **"scope": "[concat('Microsoft.Storage/storageAccounts', '/', variables('storageName'))]",**
      "dependsOn": [
          "[variables('storageName')]"
      ],
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }

Error:

New-AzResourceGroupDeployment : 5:14:22 PM - Resource Microsoft.Authorization/roleAssignments 'cca0ed12-d67c-58cd-a569-e265bc2d5806' failed with message '{
  "error": {
    "code": "ResourceNotFound",
    "message": "The Resource 'Microsoft.Storage/storageAccounts/commonsdev' under resource group 'apis-dev' was not found. For more details please go to 
https://aka.ms/ARMResourceNotFoundFix"
  }
}'
At line:1 char:1
+ New-AzResourceGroupDeployment `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
 
New-AzResourceGroupDeployment : 5:20:00 PM - Resource Microsoft.Sql/servers/auditingSettings 'apis-sqlserver-dev/Default' failed with message '{
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "BlobAuditingInsufficientStorageAccountPermissions",
        "message": "Insufficient read or write permissions on storage account 'commonsdev'. Add permissions to the server Identity to the storage account."
      }
    ]
1
azure-storageazure-resource-managerazure-rbac

1 Answers

1
votes

To do roleAssignments in a template, the scope of the roleAssignment must be at or below the scope of the template deployment. So basically, if you want to touch resources in different resourceGroups you need to deploy the template do those resourceGroups.

If your "primary" purpose of the template is SQL and then you want to assign the role as the scope of storage in a different resourceGroup - you need to nest a deployment to that resourceGroup, e.g.

    {
      "apiVersion": "2020-10-01",
      "name": "assignRole",
      "type": "Microsoft.Resources/deployments",
      "resourceGroup": "[parameters('rgName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "scope": "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
              "name": "[guid(parameters('roleNameGuid'))]",
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2017-05-01",
              "properties": {
                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]",
                "principalId": "[parameters('principalId')]"
              }
            }
          ]
        }
      }
    }

Things to note:

  • the resourceGroup property on the Microsoft.Resources/deployments resource
  • the scope property on the roleAssignment (which you have)
  • you must have permission to assign a role at that scope - the second error message you have above suggests that you do not (which is a separate problem of course

Side note, I didn't "fix" your code, below is just a working sample

That help?