Search code examples
azure-active-directoryazure-resource-managerazure-rbac

How to assign an application role to a managed identity in the ARM template

I have the following scenario.
My application registration defines a set of application roles
I dynamically deploy a scaleset with a System assigned managed identity via ARM template
During the deployment i want to assign that identity to one of the specific application role defined above

I update my deployment template with the following resource

   {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2017-09-01",
            "name": "<random Guid>",
            "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachineScaleSets/', '<scaleset name>')]"
            ],
            "properties": {
                
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '<app role guid>')]",
                "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', '<scaleset name>'), '2019-07-01', 'Full').Identity.principalId]",
                "scope": "[resourceGroup().id]"
            }
}

However the deployment fails with the following exception

The specified role definition with ID '<app role guid>' does not exist.

My assumption is that the application role definition id is no correctly formatted but i could not find any examples of this kind approle assignment in an ARM template.

Is this even possible ?

Solution

  • here is an example of how you would do this https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal

    you will need to add a principalType of Serviceprincipal, this is because as per the docs, there can easily be a delay when creating a new serviceprincipal, so it will fail if you don't do this.

    Edit: I'm sorry, i didn't realize you were trying to do an app role assignment. I don't believe this is currently supported in arm templates. the rbac roles that you can assign using roleassignment are not app roles. eg. you cannot assign app roles in an arm template currently only for azure built in roles for azure resources, not for apps or azure ad roles. for reference https://github.com/MicrosoftDocs/azure-docs/issues/51914#issuecomment-612867662

    the only way you may be able to work around and do something like this is probably through a deployment script that runs powershell commands in the arm template if at all possible.