Grant read access to a user assigned identity to a storage account with Azure

Question

I would like to create a User assigned identity with Terraform, that have the read permission on an already existing azure storage account. How can I grant that with Terraform? I am creating the whole infrastructure with the service principal I'm using right now. So, it's unlikely that it's a permission issue.

# My user assigned identity:

resource "azurerm_user_assigned_identity" "user_assigned_identity" {
  name                = "${var.resource_prefix}useridentity"
  location            = var.location
  resource_group_name = var.resource_group_name
}

# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
  scope              = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name"
  role_definition_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
  principal_id       = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}

But I am having this error:

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name/providers/Microsoft.Authorization/roleAssignments/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"' or the scope is invalid. If access was recently granted, please refresh your credentials."

Any idea what I'm doing wrong?

Answer 1

To assign roles, you need the Microsoft.Authorization/roleAssignments/write permission, which is included in either the Owner OR User Administrator role

Giving your service principal Owner violates the principle of least privilege, if no other permissions are required, I would suggest to use User Administrator.

Answer 2

For assigning roles to the some user assigned identity using your Service Principal from terraform you need to give the service principal "Owner" permission to to subscription. It is not possible to do from "Contributor" permission. Using contributor access you can create or manage the resources for the subscription but not assign roles.

Testing:

My service principal which I will be using to authenticate from terraform.

Providing Owner access to the above service principal in the subscription.

My Terraform Script:

    provider "azurerm"{
  client_id = "f6a2f33d-xxxx-xxxxx-xxxxx-xxxx"
  subscription_id = "948d4068--xxxx-xxxx-xxxxx-xxxx"
  client_secret = "KEa7Q~2673QY.uN.xxxxxxxxxxxx"
  tenant_id = "72f988bf-xxxxx-xxxxx-xxxxx-xxxxx"
    features{}
}

resource "azurerm_user_assigned_identity" "user_assigned_identity" {
  name                = "myuseridentity"
  location            = "East US"
  resource_group_name = "ansumantest"
}

# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
  scope              = "/subscriptions/948d4068--xxxx-xxxx-xxxxx-xxxxx/resourceGroups/ansumantest"
  role_definition_name = "Storage Blob Data Reader"
  principal_id       = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}

Output:

Validating from Azure Portal:

Note: Your Service principal must be having the contributor access, giving it owner access should resolve the issue.