Reputation: 1
How to assign Azure AD PIM to a custom RBAC role using BICEP
How to assign Azure AD PIM to a custom RBAC role using BICEP
I am trying to use the below BICEP template to assign PIM to the custom RBAC role at the subscription level of scope. targetScope = 'subscription' param startTime string = utcNow()
resource symbolicname 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: 'string'
scope: subscription()
properties: {
principalId: 'xxxx'
requestType: 'AdminAssign'
roleDefinitionId:'xxxx'
scheduleInfo: {
expiration: {
duration: 'P365D'
//endDateTime: 'string'
type: 'AfterDuration'
}
startDateTime: startTime
}
/* targetRoleEligibilityScheduleId: 'xxxxx'
targetRoleEligibilityScheduleInstanceId: 'string'
ticketInfo: {
ticketNumber: 'string'
ticketSystem: 'string'
}*/
}
}
For the PrincipalID, I have provided the object id of the Azure AD Group. For the roleDefinitionID, I have provided the role def id of the custom role.
However, I am facing the error, while deploying through Azure CLI:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"target": "/subscriptions/xxxx/providers/Microsoft.Resources/deployments/Mscript",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "InvalidRoleAssignmentRequest",
"message": "The role assignment request id is invalid."
}
]
}
}
Kindly provide a resolution for this issue.
Upvotes: 0
Views: 654
Answers (1)
Reputation: 7898
"The role assignment request id is invalid.":
I also received the same error when I tried in my environment as shown.
I found why it is failing the request after performed a workaround on your issue. As per the naming constraints in bicep, you must provide the Request IDin a proper and unique format, which is something like name: guid(resourceGroup().id, principalId, 'abcxx').
targetScope = 'subscription'
param startTime string = utcNow()
param roleDefinitionId string = 'xxxxx'
param principalId string = 'xxx'
param subscriptionId string = 'xxxx'
resource pimAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: guid(subscription().id, principalId, roleDefinitionId, 'abcxxx')
properties: {
principalId: principalId
requestType: 'AdminAssign'
roleDefinitionId: roleDefinitionId
scheduleInfo: {
expiration: {
duration: 'P365D'
type: 'AfterDuration'
}
startDateTime: startTime
}
}
}
Refer this document for more relevant information.
Upvotes: 0
Related Questions
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- What's the resource group equivalent of subscriptionResourceId and managementGroupResourceId in Bicep?
- How do Azure RBAC custom role definitions behave with regard to lifecycle, assignable scopes and resource location?
- Azure BICEP storage blob child resource failing deployment
- Can't create Azure Management Group using bicep
- azure bicep to create a container app with an image from secure registry
- How to assign custom role to the application in Bicep
- Bicep error when trying to modify role assignment to a storage account