This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign Azure roles using Azure Resource Manager templates

  • 14 contributors

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. In addition to using Azure PowerShell or the Azure CLI, you can assign roles using Azure Resource Manager templates . Templates can be helpful if you need to deploy resources consistently and repeatedly. This article describes how to assign roles using templates.

Bicep is a new language for defining your Azure resources. It has a simpler authoring experience than JSON, along with other features that help improve the quality of your infrastructure as code. We recommend that anyone new to infrastructure as code on Azure use Bicep instead of JSON.

To learn about how to define role assignments by using Bicep, see Create Azure RBAC resources by using Bicep . For a quickstart example, see Quickstart: Assign an Azure role using Bicep .

Prerequisites

To assign Azure roles, you must have:

  • Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator

You must use the following versions:

  • 2018-09-01-preview or later to assign an Azure role to a new service principal
  • 2020-04-01-preview or later to assign an Azure role at resource scope
  • 2022-04-01 is the first stable version

For more information, see API versions of Azure RBAC REST APIs .

Get object IDs

To assign a role, you need to specify the ID of the user, group, or application you want to assign the role to. The ID has the format: 11111111-1111-1111-1111-111111111111 . You can get the ID using the Azure portal, Azure PowerShell, or Azure CLI.

To get the ID of a user, you can use the Get-AzADUser or az ad user show commands.

To get the ID of a group, you can use the Get-AzADGroup or az ad group show commands.

Managed identities

To get the ID of a managed identity, you can use Get-AzAdServiceprincipal or az ad sp commands.

Application

To get the ID of a service principal (identity used by an application), you can use the Get-AzADServicePrincipal or az ad sp list commands. For a service principal, use the object ID and not the application ID.

Assign an Azure role

In Azure RBAC, to grant access, you assign a role.

Resource group scope (without parameters)

The following template shows a basic way to assign a role. Some values are specified within the template. The following template demonstrates:

  • How to assign the Reader role to a user, group, or application at a resource group scope

To use the template, you must do the following:

  • Create a new JSON file and copy the template
  • Replace <your-principal-id> with the ID of a user, group, managed identity, or application to assign the role to

Here are example New-AzResourceGroupDeployment and az deployment group create commands for how to start the deployment in a resource group named ExampleGroup.

The following shows an example of the Reader role assignment to a user for a resource group after deploying the template.

Role assignment at resource group scope

Resource group or subscription scope

The previous template isn't very flexible. The following template uses parameters and can be used at different scopes. The following template demonstrates:

  • How to assign a role to a user, group, or application at either a resource group or subscription scope
  • How to specify the Owner, Contributor, and Reader roles as a parameter

To use the template, you must specify the following inputs:

  • The ID of a user, group, managed identity, or application to assign the role to
  • A unique ID that will be used for the role assignment, or you can use the default ID

This template is not idempotent unless the same roleNameGuid value is provided as a parameter for each deployment of the template. If no roleNameGuid is provided, by default a new GUID is generated on each deployment and subsequent deployments will fail with a Conflict: RoleAssignmentExists error.

The scope of the role assignment is determined from the level of the deployment. Here are example New-AzResourceGroupDeployment and az deployment group create commands for how to start the deployment at a resource group scope.

Here are example New-AzDeployment and az deployment sub create commands for how to start the deployment at a subscription scope and specify the location.

Resource scope

If you need to assign a role at the level of a resource, set the scope property on the role assignment to the name of the resource.

The following template demonstrates:

  • How to create a new storage account
  • How to assign a role to a user, group, or application at the storage account scope

To deploy the previous template, you use the resource group commands. Here are example New-AzResourceGroupDeployment and az deployment group create commands for how to start the deployment at a resource scope.

The following shows an example of the Contributor role assignment to a user for a storage account after deploying the template.

Role assignment at resource scope

New service principal

If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. For example, if you create a new managed identity and then try to assign a role to that service principal in the same Azure Resource Manager template, the role assignment might fail. The reason for this failure is likely a replication delay. The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet.

To address this scenario, you should set the principalType property to ServicePrincipal when creating the role assignment. You must also set the apiVersion of the role assignment to 2018-09-01-preview or later. 2022-04-01 is the first stable version.

  • How to create a new managed identity service principal
  • How to specify the principalType
  • How to assign the Contributor role to that service principal at a resource group scope
  • The base name of the managed identity, or you can use the default string

Here are example New-AzResourceGroupDeployment and az deployment group create commands for how to start the deployment at a resource group scope.

The following shows an example of the Contributor role assignment to a new managed identity service principal after deploying the template.

Role assignment for a new managed identity service principal

  • Quickstart: Create and deploy ARM templates by using the Azure portal
  • Understand the structure and syntax of ARM templates
  • Create resource groups and resources at the subscription level
  • Azure Quickstart Templates

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Azure RBAC: role assignments and ARM templates

John Reilly

This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure".

If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage .

One of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do nothing . Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:

Spider-man saying with great power, comes great responsibility

Azure has great power and suggests you use it wisely .

Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

This is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?

Role (up for your) assignments ​

The answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use "role assignments" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:

Whilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk "magic" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:

Let's take a look at these three variables:

The three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor , Key Vault Secrets Officer and Key Vault Crypto Officer . The first question on your mind is likely: "what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.

How can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:

Or by name like so:

As you can see, the Actions section of the output above (and in even more detail on the linked article ) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.

Creating a role assignment ​

So now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:

Let's go through the above, significant property by significant property (it's also worth checking the official reference here ):

  • type - the type of role assignment we want to create, for a key vault it's "Microsoft.KeyVault/vaults/providers/roleAssignments" , for storage it's "Microsoft.Storage/storageAccounts/providers/roleAssignments" . The pattern is that it's the resource type, followed by "/providers/roleAssignments" .
  • dependsOn - before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist
  • properties.roleDefinitionId - the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')] . (Note the use of the GUID)
  • properties.principalId - the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).
  • properties.scope - we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.
  • properties.principalType - the type of principal that we're creating an assignment for; in our this is "ServicePrincipal" - our managed identity.

There is an alternate approach that you can use where the type is "Microsoft.Authorization/roleAssignments" . Whilst this also works, it displayed errors in the Azure tooling for VS Code . As such, we've opted not to use that approach in our ARM templates.

Many thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.

  • Role (up for your) assignments
  • Creating a role assignment
  • Top of Page

the role assignment already exists arm template

Defining RBAC Role Assignments in ARM Templates

It’s no secret I’m a big fan of Azure Resource Manager (ARM) templates. Getting started with ARM templates is hard, but well worth the effort, and make it significantly easier to have reproduceable, consistent deployments of your Azure resources.

One thing that I had been feeling left out, however, was being able to assign permissions to Azure resources during creation. Azure’s Role-based Access Control (RBAC) mechanism is a powerful way to control who can manage and access your resources, and having to do this through scripting was possible, but cumbersome at times.

A few days ago, I realized that you can actually create RBAC role assignments through ARM templates just like any other resource. This capability is not new by any means, I just had missed it before!

Creating an assignment

To create an assignment, you need the following information:

  • The ID of the role you want to assign. This is a long string that contains the subscription id and the role identifier (both GUIDs).
  • The object ID of the user/group/service principal you want to grant access to.
  • The scope at which you want to assign the role, which is going to be either a subscription, resource group, or resource id.

Here’s an example of creating such an assignment:

Here we grant the members of an Azure Active Directory group the Monitoring Contributor built-in role to the resource group the template is deployed to.

Also interesting here is that you don’t need to specify a location property in the resource.

Some gotchas

There are a couple of things to watch out for when doing this.

The first one is that to assign a role, you need the objectId of the AAD user/group/principal, rather than the name. This is cumbersome because there’s no way to resolve these within the ARM template itself, so you’ll always need to pass these as input parameters.

A more significant issue, however, is the name of the roleAssignment resource, which needs to be a unique GUID.

This is a problem if, for example, you’re assigning role permissions at the resource group or individual resource level, rather than globally at the subscription.

For example, in my case I was creating a template that would be used to deploy multiple copies of the same resources into different resource groups within the same subscription.

If the GUID that defines the role assignment name is hardcoded in the template, then each time I ran the template, the scope of the role assignment would get overwritten with the id of the last resource group it was deployed to. Clearly, this is undesirable.

What we need then, is a way to ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.

Clearly, providing the assignment GUID as a parameter is an easy workaround, but very cumbersome.

A better workaround comes from the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead.

By using the guid function with the resource group id and some other consistent stuff as input, we can solve our problem in an elegant way:

  • Azure (41) ,
  • Security (2)

the role assignment already exists arm template

Tomas Restrepo

Software developer located in Colombia.

  • ← Previous
  • Next →

Vincent-Philippe Lauzon's

Azure, data & machine learning, rbac and role assignment using arm templates.

Roles

It allows to map a user (or a group of users) to a role within a given scope (resource, resource group, subscription or management group ).

For instance, we could map my user identity to a Virtual Machine Contributor in the scope of a resource group.

A role is itself an aggregation of actions.

It is quite easy to do role assignment using the Azure Portal . I find the online documentation about role assignment using ARM templates lacking. It only covers assignment to resource groups and doesn’t show how to find roles.

So let’s do that here.

Artefacts are in GitHub . It can easily be deployed with this button:

Deploy to Azure

This deploys an empty Logic App and assigns an identity a role to the resource group and the logic app itself. The reason we deploy a Logic App is because it is very fast to deploy and being serverless , it doesn’t incure any cost.

We will lack two parameters: a role and an identity.

Finding a role

First, we need to find a role to assign.

Here we will use the Azure Command Line Interface (CLI). The same thing could be done in PowerShell using the Get-AzureRmRoleDefinition command.

We can type

This gives a list of all the roles available. It’s a little hard to read since the output is large. We can narrow it by using JMESPath standard :

This should give us an output similar to:

In our case, we would be interested i

which returns us:

Let’s keep the name of the role, i.e. the GUID . We choose the Logic App Contributor .

Finding an identity

Next we need an identity to assign that role.

There are three types of identity that makes sense here: user, group and service principal.

Finding a user

We can list the users in Azure AD with

For large directories, this would return a lot of data. We can filter by display name prefix. The display name is something like John Smith as opposed to jsmith .

We need to find the user we’re interested in and the corresponding ObjectId , which is a GUID .

Finding a group

Similarly, we can find a group starting with admins with

Finding a Service Principal

Similarly for Service principals starting with my

It is important to take the ObjectId and not the AppId . Those two have different values.

Assignment to a resource group

We now have the two parameters we needed to feed the ARM template we proposed at the beginning of this article.

If we run the template, we should have a resource group looking like this:

Deployed Resource Group

We can select the EmptyLogicApp resource. We can then select the Access control (IAM) menu on the left-hand side menu:

Role assignments

Let’s focus on Logic App Contributor section. This is the role we choose.

We have two assignments of the same role under two scopes:

  • The first one is the resource itself
  • The second one is inherited from the resource group

There is a quickstart template doing a resource group role assignment .

Basically, a role assignment is modelled as an Azure resource. This is akeen to relational databases where many-to-many relationships are modelled as an entry in a relation table.

Here is the resource in our template :

A few observations:

  • The type is Microsoft.Authorization/roleAssignments ; this is a constant type for resource groups
  • The name of the resource needs to be a unique GUID ; we use the guid arm template function , but we could have simply passed a generated GUID
  • We use the role definition id we picked up earlier
  • We use the principal id we picked up earlier
  • The scope is the resource group and for that we need to pass the resource group id

Assignment to a specific resource

Although only the scope is different, the solution isn’t so similar. Let’s look at our template again:

Again a few observations:

  • The type is Microsoft.Logic/workflows/providers/roleAssignments ; the type is different depending on the related resource, here a Logic App
  • The name of the resource is defined in a variable as [concat(variables('Logic App Name'), '/Microsoft.Authorization/', guid(concat(resourceGroup().id), variables('Full Role Definition ID')))] ; here it isn’t just a random GUID, it is a meaningful name as it refers to both the Logic App name and the Role Definition id
  • Both role definition id & principal id are used as for resource group

The resource content is different from a resource group assignation. It is quite predictable though and easy to replicate.

We’ve seen how to assign a role to both a resource group and a single resource.

This is useful as we can setup RBAC permissions straight from an ARM template.

Share this:

9 thoughts on “ rbac and role assignment using arm templates ”.

Thank you for this, I had been looking last week how to apply rbac to a specific resource, the documentation is a bit unclear that the you have to assign the authorisation on the resource, rather that define the scope on the authorisation.

I know. It doesn’t get reverse-engineered well either. It’s a bit criptic.

  • Pingback: Azure Weekly: August 20, 2018 – Build Azure
  • Pingback: Deploying AKS with ARM Template – Network integration – Vincent-Philippe Lauzon's

So in the case of resource specific role assignment the target resource gets parsed from the specially formatted name property?

Any idea if/how it’s possible to add a new role assignment to an existing resource? For example if I want to add a role assignment to a service bus namespace that already exists and is in a different resource group.

ARM Template can always be used on existing resources. They can be used to create and update. In your case though, you want to create a new resource, i.e. a role assignment. It’s just that that resource is related to an existing resource.

So yes, definitely possible. I never tried to have a resource in a resource group and an assignment in a different group. It might or might not be supported.

What you can do though is to deploy something in that group. ARM Template now supports deploying resources in a different resource group (see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-cross-resource-group-deployment ).

  • Pingback: Service Principal for Logic App Connector – Vincent-Philippe Lauzon's

Salut Vincent, merci pour ton blog, sans toi je ne crois pas avoir été capable!

Excellent. Heureux que ça aille aidé quelqu’un!

Leave a comment Cancel reply

' src=

  • Already have a WordPress.com account? Log in now.
  • Subscribe Subscribed
  • Copy shortlink
  • Report this content
  • View post in Reader
  • Manage subscriptions
  • Collapse this bar

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications You must be signed in to change notification settings

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role Assignment with different name wasn't detected #322

@Camios

Camios commented Jun 23, 2023

  • 👍 1 reaction

@ghost

No branches or pull requests

@Camios

DevOps Practices and IT Operations

Role Assignment Exists or Role Assignment Update Not Permitted

Azure role-based access control (Azure RBAC)  is the authorization system you use to manage and granting access to Azure resources. You can use Azure Resource Manager templates (JSON or Bicep) to automate the role assignments; for example Assign a user, group or service principal with ‘Contributor’, ‘Reader’ roles. You might encounter folliwing issue when you are trying to make the deployment repetitive:

When defining the template for deployment, the guid value is used for the resource name (example shows below). The template is not idempotent unless the same role name guid is provided. In this case, we just need to obtain a guid value and then assign it as the template resource name, then the issue will be resolved.

Obtain a new GUID value by running following command on PowerShell window:

the role assignment already exists arm template

Copy/paste the GUID value to the template (my example uses Bicep template below):

the role assignment already exists arm template

Note: this particular GUID value is only used for this particular role assignment, if you want to have another role assignment, then a new GUID value needs to be created.

That is all, once you assign the static GUID value, then you can repeat the deployment as many times as you would like to, the issue won’t appear again.

Reference : Assign Azure roles using Azure Resource Manager templates

Browse More ..

the role assignment already exists arm template

IMAGES

  1. Add role assignment by using ARM template · Issue #67597

    the role assignment already exists arm template

  2. How to deploy Azure Policies with ARM templates

    the role assignment already exists arm template

  3. Using Roles and Responsibilities Template in Project Management

    the role assignment already exists arm template

  4. Add or edit Azure role assignment conditions using the Azure portal

    the role assignment already exists arm template

  5. Project Assignment Template

    the role assignment already exists arm template

  6. How to deploy linked ARM templates from private Azure DevOps repositories

    the role assignment already exists arm template

VIDEO

  1. Std 10 Sanskrit Second Exam Paper Solution 2024 #dhoran 10 sanskrit second exam paper solution 2024

  2. Azure DR And ARM Template

  3. Embedded system design with ARM assignment 3 nptel2024

  4. Embedded system design with ARM Assignment 4 nptel 2024 #embeddedsystems #embedded

  5. Embedded systems design with Arm week 5 assignment NPTEL 2024

  6. Embedded systems design with Arm week 6 Assignment NPTEL 2024

COMMENTS

  1. Assign Azure roles using Azure Resource Manager templates

    How to assign the Reader role to a user, group, or application at a resource group scope. To use the template, you must do the following: Create a new JSON file and copy the template. Replace <your-principal-id> with the ID of a user, group, managed identity, or application to assign the role to. JSON. Copy.

  2. azure

    I think there should be something to make sure about the role assignment. For the same scope or resource, you can only assign the same role to a service principal once. In this case, it means you can only assign the role "Storage Blob Data Contributor" of the storage account to your app identity once.

  3. Azure RBAC: role assignments and ARM templates

    John Reilly. OSS Engineer - TypeScript, Azure, React, Node.js, .NET. This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure". If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find ...

  4. Defining RBAC Role Assignments in ARM Templates

    Creating an assignment. To create an assignment, you need the following information: The ID of the role you want to assign. This is a long string that contains the subscription id and the role identifier (both GUIDs). The object ID of the user/group/service principal you want to grant access to. The scope at which you want to assign the role ...

  5. az role assignment create is not idempotent #8568

    Creating the same role assignment twice results in success the first time, but the second time results in an error: The role assignment already exists. $ az role assignment create --role Owner --assignee "[email protected]" --scope ...

  6. RBAC and role assignment using ARM Templates

    RBAC and role assignment using ARM Templates. Azure supports Role Based Access Control (RBAC) as an access control paradigm. It allows to map a user (or a group of users) to a role within a given scope (resource, resource group, subscription or management group ). For instance, we could map my user identity to a Virtual Machine Contributor in ...

  7. Deployment fails when Role Assignment already exists #4014

    The cluster deploys fine but the arm template throws the below error: Deployment fails when Role Assignment already exists ge\":\"{\\r \\\"... Skip to content Navigation Menu

  8. Example with an ARM template

    A separate Service Principal (SP) credentials are used to try and deploy the ARM template. Initially the all Role Assignments for the SP are deleted, then as the utility starts getting ...

  9. Role Assignment with different name wasn't detected #322

    In Azure Portal, manually create role assignment on an App Config Service for an APIM; In a bicep deployment script, define that same role assignment using a GUID that is generated from the guid function. Run New-AzDeployment passing the bicep template file and with -WhatIf:True; WhatIf doesn't list the role assignment as being different

  10. Role Assignment Exists or Role Assignment Update Not Permitted

    Azure role-based access control (Azure RBAC) is the authorization system you use to manage and granting access to Azure resources. You can use Azure Resource Manager templates (JSON or Bicep) to automate the role assignments; for example Assign a user, group or service principal with 'Contributor', 'Reader' roles.

  11. If a role assignment already exists for an Azure resource, is there

    If a role assignment already exists for an Azure resource, is there some way to add it to the state? Azure I have several Azure resource groups. IAM roles are assigned to them already, but my .tf file for them includes azurerm_role_assignment blocks for each role, and the principal IDs themselves are drawn from mapped variables as such: ...

  12. How to do a role assignment for the resourcegroup with arm templates

    How to do a role assignment for the resourcegroup with arm templates. Ask Question Asked 6 years, ... ARM template - depending on resources from the outside of resource group ... Predefined Resource Group in ARM Template. 2. Azure ARM Template Different Resource Groups. 0. Azure ARM: If resource group does not exist, place in deployment ...

  13. ARM Deployment Stacks now GA!

    A deployment stack is a method of deploy an ARM Template or Bicep file which tracks the resources deployed in a "managedResources" list. Beyond the capabilities of conventional ARM Template or Bicep deployments, there are two main capabilities that deployment stacks bring to Azure: "ActionOnUnamange" : With this setting a deployment stack ...

  14. Sometimes ARM template will throw PrincipalNotFound Error when Working

    So, I am trying to do the following with an ARM template: Create a new User-assigned Managed Identity (my-managed-identity) in Resource Group my-rg; Assign my-managed-identity the Reader role for my-rg; Assign the role Managed Identity Operator to an AKS Service Principal (my-aks-sp) in my-managed-id; Here is my ARM template to do so: