Issue with Role assignment across resource group

[akhoslabinary]

Hi Team,

I am trying to a assign role for storage account to a keyvault in different resource group but it is not working but if I do the same for keyvault/storage in same resource group then it works.I have tried to explicitly set the scope on module but it doesn't do what I am looking for

Calling keyvault-role-assignment.bicep from storage.bicep --->

module akvrole '../iam-module/resource/keyvault-role-assignment.bicep' = {
name: 'create-${storageAccount}-${keyvaultName}-role'
scope: resourceGroup(keyvaultResourceGroupName)
params: {
keyVaultName: keyvaultName
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User
resourceSPObjectIds: array(storage.outputs.storageidentityPrincipalId)
kvResourceGroupName: keyvaultResourceGroupName
}
}

keyvault-role-assignment.bicep--->

param keyVaultName string
param roleDefinitionId string
param resourceSPObjectIds array = []
param kvResourceGroupName string

resource keyvault 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing = {
name: keyVaultName
scope: resourceGroup(kvResourceGroupName)
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for spId in resourceSPObjectIds: {
name: guid(keyvault.id, spId, roleDefinitionId)
properties: {
roleDefinitionId: roleDefinitionId
principalId: spId
principalType: 'ServicePrincipal'
}
}]

module roleAssignmentWait '../../util/wait.bicep' = [for (spId, idx) in resourceSPObjectIds: {
name: '${roleAssignment[idx].name}-wait'
scope: resourceGroup(kvResourceGroupName)
params: {
waitNamePrefix: roleAssignment[idx].name
loopCounter: 10
}
}]

[brwilkinson]

Here is a sample of a resource scoped role assignment.

A few things:

• the lookup of the roledefinitionId
• The use of scope against the existing keyvault resource on the roleAssignment
• No scope required on existing kv resource, since you already deployed into the correct RG via the Module (deployment) Scope

param kvName string = 'kvGlobal'

resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: kvName
}

param roleAssignment object = {
  UserId: '39fbc045-15e0-4855-b63a-e6cdf74ef2ea'
  RoleId: '21090545-7ca7-4776-b22c-e363652d74d2'
  uniqueGUID: 'bce4256e-32fa-4eec-801d-b9c3d7a886dd'
}

resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  name: roleAssignment.RoleId
}

resource RA 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
    name: roleAssignment.uniqueGUID
    scope: kv
    properties: {
        roleDefinitionId: roleDefinition.id
        principalId: roleAssignment.UserId
    }
}

output roleAssignment string = RA.id

[brwilkinson]

if you deploy into the resource group with the module (scope), then you don't need to specify any scope on the keyvault existing resource, since you already deployed into the RG, so it can find it by the name only.

[brwilkinson]

Hi @akhoslabinary

If you are still seeing issues, please share your updated code samples.

[jessicalavoie]

hi, i have a similar issue.

So... i have a privateDNSzone in a different sub and a different RG from where im deploying. Im referencing my existing privateDNS with the RG and Sub. Fine.

Now i need to give a DNS role assigment to my managed Identity, by scoping my assigment specifically to this privateDNS... this is where it doesnt work.

Any idea how it could work ? i know it works fine when everything is within the same RG.,. seems problematic when it gets out of the sub, RG.

param privateDnsZone string = 'privatelink.${location}.azmk8s.io'

resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
scope: resourceGroup(IdentitySub, IdentityRG)
name: privateDnsZone
}

resource assignDNSContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name : 'dnsContrib'
scope : privateDNSZone
properties: {
description: 'Assign DNS Contrib role to privateDNS'
principalId: aksIdentity.outputs.principalId
principalType: 'ServicePrincipal'
roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f'
}
}

thanks!

[brwilkinson]

@Eazykiel

Here is a sample of using a module to set DNS records across internal/external zones for A/CNAME records.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/APIM.bicep#L265

The module allows for the execution of the deployment in the Resource Group or scope of the DNS zone.

You can do the same things as that for the role assignment.

Then here is a sample of setting a role assignment against an alternate scope, in a more generic way.

#5805

[jessicalavoie]

thanks so much for the quick response ! ill check this out!

[akhoslabinary]

Sorry for the late reply ,yes all is good on my side. We may close this thread now

…

On Mon, Nov 29, 2021, 8:15 PM Ben Wilkinson ***@***.***> wrote: @akhoslabinary <https://github.com/akhoslabinary> if you are still seeing issues, please share your updated code samples. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5276 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALJMA7JBHWUMP4ZEUNMDMSLUOQQS3ANCNFSM5I7SQOEQ> .