Search code examples
azureazure-bicep

Azure Bicep - Role Assignment in a different subcription

Trying to assign a managed identity to a Resource Group in a separate subscription in the same tenant. I can achieve this via the Azure portal. My Main.bicep, something like this:

targetScope = 'subscription'

module rgRoleAssignment 'modules/MyModule.bicep' = {
  scope: resourceGroup('anotherSubscriptionId', 'myResourceGroupName')
  name: 'qwerty123'
  params: {
    principalId: MyManagedIdentity.outputs.principalId
    roleDefinitionIds: ['7f951dda-4ed3-4680-a7ca-43fe172d538d'] //ACRPull
  }
}

MyModule.bicep:

targetScope = 'resourceGroup'

param roleDefinitionIds array
param roleAssignmentDescription string = ''
param principalId string 

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: {
    name: guid(roleDefinitionId, resourceGroup().id)
    scope: resourceGroup()
    properties: {
        description: roleAssignmentDescription
        principalId: principalId
        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
        principalType: 'ServicePrincipal'
    }
}]

This returns the dreaded "Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code: RoleAssignmentUpdateNotPermitted)" error, which usually means there are orphaned role assignments around the place, but I can't see any. What am I missing?

Solution

  • "Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code: RoleAssignmentUpdateNotPermitted)" error: -

    The cause of this error could be a name conflict in most of the cases. Change the name of your role assignment which is nothing but a GUID to a value that has not been used to deploy a role assignment before.

    Refer blog by @Jason Masten & github issue for the relevant information.

    Verify the scope of the uniqueness of your resource names. Use appropriate seed values for the uniqueString() function to ensure that you can reuse the Bicep file across Azure resource groups and subscriptions as given in MSDoc.

    After checking the above, I tried to deploy it in my environment with the above-mentioned changes and was able to deploy successfully as shown.

    Module.bicep:

    targetScope = 'subscription'
param location string = resourceGroup().location
module rgRoleAssignment 'iden.bicep' = {
  scope: resourceGroup('subscription_ID','resourceGroup')
  name: 'qwerty123'
  params: {
    principalId: useridentiy.properties.principalId
    roleDefinitionIds: ['7f951dda-4ed3-4680-a7ca-43fe172d538d']
  }
}

    Identity.bicep:

    targetScope = 'resourceGroup'
param roleDefinitionIds array
param roleAssignmentDescription string = ''
param principalId string 

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: {
    name: guid(resourceGroup().id, principalId, roleDefinitionId)
    scope: resourceGroup()
    properties: {
        description: roleAssignmentDescription
        principalId: principalId
        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
        principalType: 'ServicePrincipal'
    }
}]

    Deployment succeeded:

    enter image description here

    enter image description here

    You can also refer SO by @Richard for the similar issue.