Search code examples
azurepowershellazure-resource-managerazure-cli

Azure cli -az role assignment

Im trying to assign the Databricks access connector to storahe account as the storage blob data contributor using this script

    function Assign-RBACRoleToAccessConnector {
    param (
        [string] $rgName,
        [string] $acName,
        [string] $saName,
        [string] $subscriptionId
    )

    # Get the object ID of the access connector
    Write-Host "we are here 1"
    $accessConnector = Get-AzDatabricksAccessConnector -ResourceGroupName $rgName -Name $acName
    # $accessConnector = Get-AzDataBricksWorkspace -ResourceGroupName $rgName -Name $acName
    $accessConnector
    Write-Host "we are here 2"
    $accessConnectorObjectId = $accessConnector.Identity.PrincipalId

    Write-Host "Access Connector Object ID: $accessConnectorObjectId"

    # Get the object ID of the storage account
    # $storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $saName
    # # $storageAccountObjectId = $storageAccount.Identity.PrincipalId

    # Assign RBAC role to the access connector
    az role assignment create --assignee $accessConnectorObjectId --role "Storage Blob Data Contributor" --scope "/subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$saName"
}

But it does not work! I tried to debug by getting the outputs one by one. first out put of $accessConnector variable is successful I can see the detailed data, including the IdentityPrincipalId but then second output $accessConnectorObjectId of this ariable is empty. I can get it therefore it results in error

Access Connector Object ID:
ERROR: argument --assignee: expected one argument

How can I fix this?

Solution

  • The issue is caused by a typo in $accessConnector.Identity.PrincipalId, looking at Outputs from the Get-AzDatabricksAccessConnector documentation we can see that the cmdlet outputs an object implementing the IAccessConnector Interface and, if we look at the properties that for that interface we can see that the property name is .IdentityPrincipalId instead of .Identity.PrincipalId (a nested object with property .PrincipalId under .Identity basically). So you were actually getting null for referencing a member that doesn't exist in your object and in consequence that error from the az CLI.

    So, the fix of the issue:

    $accessConnectorObjectId = $accessConnector.IdentityPrincipalId

    Aside from that, I'd recommend you to use New-AzRoleAssignment here, it would have given you a much better error message that would've helped debugging this problem much faster:

    $newAzRoleAssignmentSplat = @{
    ObjectId           = $accessConnectorObjectId
    RoleDefinitionName = 'Storage Blob Data Contributor'
    Scope              = "/subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$saName"
}

New-AzRoleAssignment @newAzRoleAssignmentSplat