Reputation: 67
Azure Blueprints deployment permissions when linking template specs in another subscription
I am setting up Blueprints using linked template specs that are deployed in a common subscription. The Blueprints are published to a management group so I can deploy the same set of resources to multiple subscriptions. Blueprints with out using the linked template specs are working fine but when trying to assign a blueprint that uses linked template specs to a subscription that is different from the subscription that the template specs are deployed to fails due to permissions issues accessing the template specs. What permissions and what user needs to be set on the template spec resource group so the Blueprint can access the template specs?
As a note this is using system assigned identity in the blueprint assignment.
Upvotes: 0
Views: 257
Answers (1)
Reputation: 8737
When you use a system assigned MSI that MSI is given permissions to the sub the assignment is assigned to... so if your templateSpecs are in a different sub you won't be able to used a system assigned identity unless the templateSpecs are replicated to the sub for assignment. Not ideal...
If you use a userAssigned identity on the BP assignment then you can make sure that identity has perms to the templateSpecs beforehand.
Upvotes: 0
Related Questions
- How to deploy an ARM Template without granting ownership over the entire subscription?
- Sharing templates across repositories in Azure devops
- Azure ARM template resourceId problem with nested deployments on subscription level
- Using templates that themselves use templates located in other repositories
- Deploy ARM Templates Without DependsOn under Specific Subscription of Specified resource group
- Is it possible to deploy local linked template via New-AzureRMResourceGroupDeployment
- Azure ARM templates - using the output of other deployments
- Azure Arm template dependson with linked template
- Azure - do not allow Arm template to modify existing resources
- How to create a nested template to deploy resources to subscriptions in different Azure AD Tenants?