Kzryzstof
Reputation: 8382
In an ARM template, how do I assign a Service Bus role to an App Service?
I would like to define the access control (IAM) rules to a Service Bus Queue using an ARM template. I know how to do it for an Azure KeyVault so I defined the following template which creates a service bus namespace along with a queue and then assign the role of Azure Service Bus Data Owner to a function app:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppPrincipalId": {
"type": "string"
}
},
"variables": {
"serviceBusName": "myServiceBus",
"queueName": "creation-requests",
"serviceBusUserRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]",
"serviceBusRoleAssignmentName": "[concat(variables('serviceBusName'), '/Microsoft.Authorization/', guid(uniqueString(variables('serviceBusName'))))]"
},
"resources": [
{
"name": "[variables('serviceBusName')]",
"type": "Microsoft.ServiceBus/namespaces",
"apiVersion": "2018-01-01-preview",
"location": "canadaeast",
"sku": {
"name": "Basic"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[variables('queueName')]",
"type": "Queues",
"dependsOn": [
"[resourceId('Microsoft.ServiceBus/namespaces', variables('serviceBusName'))]"
],
"properties": {
"lockDuration": "PT5M",
"defaultMessageTimeToLive": "P0Y0M1DT0H0M0S"
}
}]
},
{
"type": "Microsoft.ServiceBus/namespaces/providers/roleAssignments",
"name": "[variables('serviceBusRoleAssignmentName')]",
"apiVersion": "2020-04-01-preview",
"properties": {
"roleDefinitionId": "[variables('serviceBusUserRoleDefinitionId')]",
"principalId": "[parameters('functionAppPrincipalId')]"
}
}
],
"outputs": {
}
}
Executing it results in the following error:
2020-12-23T17:57:52.3905460Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-12-23T17:57:52.3941413Z ##[error]Details:
2020-12-23T17:57:52.3946096Z ##[error]Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"RoleAssignmentUpdateNotPermitted\",\r\n \"message\": \"Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\"\r\n }\r\n}"
}
]
}
]
}
}
Question
In an ARM template, how do I assign a Service Bus role to an App Service?
Upvotes: 2
Views: 1924
Answers (1)
Joy Wang
Reputation: 42063
If you want to assign an Azure Service Bus Data Owner to an App Service(per my understanding, you mean MSI here) at the subscription level, you could use the template below, it works for me.
template1.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"type": "string",
"metadata": {
"description": "Specifies the role definition ID used in the role assignment."
}
},
"principalId": {
"type": "string",
"metadata": {
"description": "Specifies the principal ID assigned to the role."
}
}
},
"variables": {
"roleAssignmentName": "[guid(parameters('principalId'), parameters('roleDefinitionID'), subscription().id)]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"scope": "[subscription().id]"
}
}
]
}
parameters1.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"value": "090c5cfd-751d-490a-894a-3ce6f1109419"
},
"principalId": {
"value": "xxxxxxxxxxxxx"
}
}
}
Use PowerShell New-AzDeployment to deploy the template at subscription scope.
New-AzDeployment -Location eastus -TemplateFile C:\Users\Administrator\Desktop\template1.json -TemplateParameterFile C:\Users\Administrator\Desktop\parameters1.json
Check in the portal:
Upvotes: 1
Related Questions
- ARM template for API Connection to Service Bus using Managed Identity
- Assign the Service Connection User a role through ARM template
- How to create custom shared access policies at service bus queue level using arm template
- How to use ResourceID function for an app service slot
- Azure Service Bus Session Enabled Subscription Creation through ARM template
- Using IAM for Azure Service Bus, how can I assign a role to an application?
- How to use ARM templates to deploy a roleAssignment for an App Registration Service Principal?
- Set Access key of service bus in Arm Template
- Azure ARM template for ServiceBus: cannot reference itself
- Azure Service Bus Filter Not Applied When Defined in ARM Template