I'm deploying an azure datalake gen 2 storage account with bicep. I want to assign roles (groups) on a containers with bicep (see code below). But I keep getting an error. Can someone help me ?
targetScope = 'resourceGroup'
param location string =resourceGroup().location
param storageAccountName string
resource stg 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
isHnsEnabled: true
}
}
resource bs 'Microsoft.Storage/storageAccounts/blobServices@2021-08-01' = {
name: 'default'
parent: stg
}
resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-08-01' = {
name: 'help'
parent: bs
}
resource rbac 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(container.id,'xxx')
scope: container
properties: {
principalId: 'xxx'
principalType: 'Group'
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
}
}
Error:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"BadRequestFormat\",\r\n \"message\": \"The request was incorrectly formatted.\"\r\n }\r\n}"}]}}
According to the document you should add a condition but this also doesn't work.
condition: '@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \'help\''
The roleDefinitionId
property is the resource identifier of the role. It is also a subscription level resource so you would define it in the bicep file like that:
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')