Reputation: 522
Azure Managed Application role assignment
I need to grant Reader access to my Managed Application outside of the application resource group. The user deploying the app is Owner on the subscription so the deployment should go through but it currently fails because the resource deployment happens under the identity of Appliance Resource Provider instead of the user. Is there a way to create role assignments with Managed Applications?
Snippet of mainTemplate.json (MSI creation + nested-template trying to create the role assignment at the subscription scope):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {...},
"variables": {...},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('applicationName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
},
...
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('name')]",
"subscriptionId": "[subscription().subscriptionId]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('applicationName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"principalId": {
"value": "[reference(resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('applicationName'))).principalId]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string"
}
},
"variables": {},
"resources": [
// Role: Reader
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(parameters('principalId'), 'Subscription-Reader')]",
"properties": {
"principalId": "[parameters('principalId')]",
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
}
}
]
}
}
}
],
}
Managed App deployment error:
{
"status": "Failed",
"error": {
"code": "ApplianceDeploymentFailed",
"message": "The operation to create appliance failed. Please check operations of deployment 'xxx' under resource group '/subscriptions/xxx/resourceGroups/mrg-xxx-20210727122758'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"InvalidTemplateDeployment\",\r\n \"message\": \"The template deployment failed with error: 'Authorization failed for template resource 'f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d' of type 'Microsoft.Authorization/roleAssignments'. The client '8b967430-badb-45ba-8d11-bca192994047' with object id '8b967430-badb-45ba-8d11-bca192994047' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d'.'.\"\r\n }\r\n}"
}
]
}
}
Upvotes: 1
Views: 877
Answers (1)
Reputation: 93
The Appliance Resource Principal is the resource principal that does the deployments for the managed application. It has owner permissions only on the managed resource group and does not have any other permissions outside the resource group on the customers tenant.
To achieve this scenario the customer needs to first grant access to the managed application to do these Role assignments. They can do this by adding an msi on the managed application and granting that msi permissions outside the managed resource group. When the appliance resource principal does the deployments it will include any permissions that the msi on the managed application has during the deployments.
Please see here for details on how the msi can be included during deployment of the managed application : https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#linking-existing-azure-resources
Upvotes: 1
Related Questions
- Relationship between Azure RBAC roles and service principal
- How to assign custom role to the application in Bicep
- Not able to assign user to new role in Azure App Registration
- Azure role assignment precedence
- Azure role assignments to a AD group for a subscription
- Azure RBAC Custom Roles
- How to assign roles to the users in Azure Active Directory
- How to assign an application role to a managed identity in the ARM template
- Azure AD Enterprise Application - Application Role mapping
- How to create Azure Role Assignment scoped to a certain resource type