Setting Rbac Role on Azure Storage account Container #4143
-
|
I have been struggling with getting an rbac applied to a container in a storage account. for some reason I can't figure it out. here the bicep file that is my last attempt and still not getting something right. Hopefully someone can point me in the right direction resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = { resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = { This was my first attempt for applying the RBAC Role to the container. The Rbac roles applies to the storage account not the container. resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = { resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { resource roleDef 'Microsoft.Authorization/roleDefinitions@2021-04-01-preview' existing = { |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
|
It looks like you have a space in your DefinitionID ? param DefinitionID string = ' b7e6dc6d-f1e8-4753-8033-0f276bb0955b' it would be helpful to include any errors that you are seeing within your request as well. |
Beta Was this translation helpful? Give feedback.
-
|
can confirm the following deploys correctly for me. param storageAccountName string = 'stxsbx01'
param containerName string = 'builds'
param location string = resourceGroup().location
param principalId string = 'xxxxxxxxxxxxxxxxxxxxx'
param DefinitionID string = 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
var roleassignmentName = guid(principalId, roleDef.id)
resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
name: storageAccountName
}
resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' existing = {
name: '${sa.name}/default/${containerName}'
}
resource roleDef 'Microsoft.Authorization/roleDefinitions@2021-04-01-preview' existing = {
name: DefinitionID
}
resource Assignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = {
name: roleassignmentName
scope: container
properties: {
principalId: principalId
roleDefinitionId: roleDef.id
}
} |
Beta Was this translation helpful? Give feedback.
-
|
Not sure this is quite what you need but I thought I'd share it in case it is helpful https://blog.johnnyreilly.com/2021/02/08/arm-templates-security-role-assignments |
Beta Was this translation helpful? Give feedback.
-
|
The rbac is being set on the storage account itself. Where I would like the rbac role only to be applied to the container in the storage account.
Patti
From: Ben Wilkinson ***@***.***>
Sent: Tuesday, August 24, 2021 4:24 PM
To: Azure/bicep ***@***.***>
Cc: Santacroce, Patti ***@***.***>; Author ***@***.***>
Subject: Re: [Azure/bicep] Setting Rbac Role on Azure Storage account Container (#4143)
can confirm the following deploys correctly for me.
param storageAccountName string = 'stxsbx01'
param containerName string = 'builds'
param location string = resourceGroup().location
param principalId string = 'xxxxxxxxxxxxxxxxxxxxx'
param DefinitionID string = 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
var roleassignmentName = guid(principalId, roleDef.id)
resource sa ***@***.***' existing = {
name: storageAccountName
}
resource container ***@***.***' existing = {
name: '${sa.name}/default/${containerName}'
}
resource roleDef ***@***.***' existing = {
name: DefinitionID
}
resource Assignment ***@***.***' = {
name: roleassignmentName
scope: container
properties: {
principalId: principalId
roleDefinitionId: roleDef.id
}
}
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#4143 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AECGXAFEB5OQSK4MWHELUW3T6P5W5ANCNFSM5CXQGFNA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>.
[External Email: This message has originated from an external source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.]
|
Beta Was this translation helpful? Give feedback.
-
|
It looks good to me, you may have a duplicate assignment on the storage account, however you can also view the assignment directly on the container, as shown below. My container is 'Builds' so I will just filter with that. Get-AzRoleAssignment | where scope -match 'builds'
RoleAssignmentId : /subscriptions/<sub>/resourcegroups/<RG>/providers/Microsoft.Storage/storageAccounts/<saname>/blobServices/default/containers/builds/providers/Microsoft.Authorization/roleAssignments/8
a52d246-66f9-595c-a98a-45f7b24c2769
Scope : /subscriptions/<sub>/resourcegroups/<RG>/providers/Microsoft.Storage/storageAccounts/<saname>/blobServices/default/containers/builds
RoleDefinitionName : Storage Blob Data Owner
RoleDefinitionId : b7e6dc6d-f1e8-4753-8033-0f276bb0955b |
Beta Was this translation helpful? Give feedback.
-
|
Hi Ben,
Its working now. Thanks for your quick response
Patti
From: Ben Wilkinson ***@***.***>
Sent: Tuesday, August 24, 2021 4:41 PM
To: Azure/bicep ***@***.***>
Cc: Santacroce, Patti ***@***.***>; Author ***@***.***>
Subject: Re: [Azure/bicep] Setting Rbac Role on Azure Storage account Container (#4143)
It looks good to me, you may have a duplicate assignment on the storage account, however you can also view the assignment directly on the container, as shown below.
My container is 'Builds' so I will just filter with that.
Get-AzRoleAssignment | where scope -match 'builds'
RoleAssignmentId : /subscriptions/<sub>/resourcegroups/<RG>/providers/Microsoft.Storage/storageAccounts/<saname>/blobServices/default/containers/builds/providers/Microsoft.Authorization/roleAssignments/8
a52d246-66f9-595c-a98a-45f7b24c2769
Scope : /subscriptions/<sub>/resourcegroups/<RG>/providers/Microsoft.Storage/storageAccounts/<saname>/blobServices/default/containers/builds
RoleDefinitionName : Storage Blob Data Owner
RoleDefinitionId : b7e6dc6d-f1e8-4753-8033-0f276bb0955b
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#4143 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AECGXAD6TTBDYV6IYYIAPHDT6P7ULANCNFSM5CXQGFNA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>.
[External Email: This message has originated from an external source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.]
|
Beta Was this translation helpful? Give feedback.
-
|
sounds good, we can put it down to the space :) |
Beta Was this translation helpful? Give feedback.
It looks like you have a space in your DefinitionID ?
param DefinitionID string = ' b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
it would be helpful to include any errors that you are seeing within your request as well.