Permission issue using service principal for RBAC in Azure ARM template - Stack Overflow

admin管理员组

文章数量:1400211

I have an Azure VM with a System Assigned Managed Identity enabled. I would like to use an ARM template to assign the Storage Table Data Reader role to the VM's identity. I am using the ARM template below:

{
  "properties": {
    "mode": "Incremental",
    "template": {
      "$schema": ".json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2022-04-01",
          "name": "ef733367-cfbb-4e3c-a300-6e54092a7fa6",
          "properties": {
            "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'my-vm-1'), '2019-07-01', 'Full').identity.principalId]",
            "principalType": "ServicePrincipal",
            "scope": "/subscriptions/<SUBSCRIPTION1_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/mystorage",
            "roleDefinitionId": "/subscriptions/<SUBSCRIPTION2_ID>/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6"
          }
        }
      ]
    }
  }
}

To deploy the ARM template I have a service principal that is assigned the User Access Administator role in mystorage Storage Account. However, when I try to deploy the template via an HTTP request I get:

{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'ef733367-cfbb-4e3c-a300-6e54092a7fa6' of type 'Microsoft.Authorization/roleAssignments'. The client '<ENTERPRISE_APP_CLIENT_ID>' with object id '<ENTERPRISE_APP_CLIENT_ID>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<SUBSCRIPTION2_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Authorization/roleAssignments/ef733367-cfbb-4e3c-a300-6e54092a7fa6'.'."
  }
}

I am using this code to deploy the template:

import requests
import json
from azure.identity import ClientSecretCredential

# Replace these with your Azure details
tenant_id = ""
client_id = ""
client_secret = ""
subscription_id = "<SUBSCRIPTION2_ID>"
resource_group = "<RESOURCE_GROUP>"
deployment_name = "rbac-test"
template_file_path = "rbac_arm.json"

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

token = credential.get_token("/.default")

url = f"/{subscription_id}/resourcegroups/{resource_group}/providers/Microsoft.Resources/deployments/{deployment_name}?api-version=2021-04-01"

with open(template_file_path, 'r') as template_file:
    arm_template = json.load(template_file)

headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {token.token}",
}

payload = {
    "properties": {
        "mode": "Incremental",
        "template": arm_template,
    }
}

response = requests.put(url, headers=headers, json=payload)

if response.status_code == 200:
    print("Deployment started successfully!")
    print(response.json())
else:
    print(f"Error: {response.status_code}")
    print(response.json())

What is going wrong? I've spent several hours trying to debug this without any results. I was able to manually assign the VM managed identity the role but I'd like to be able to do this automated.

I have an Azure VM with a System Assigned Managed Identity enabled. I would like to use an ARM template to assign the Storage Table Data Reader role to the VM's identity. I am using the ARM template below:

{
  "properties": {
    "mode": "Incremental",
    "template": {
      "$schema": "https://schema.management.azure/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2022-04-01",
          "name": "ef733367-cfbb-4e3c-a300-6e54092a7fa6",
          "properties": {
            "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'my-vm-1'), '2019-07-01', 'Full').identity.principalId]",
            "principalType": "ServicePrincipal",
            "scope": "/subscriptions/<SUBSCRIPTION1_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/mystorage",
            "roleDefinitionId": "/subscriptions/<SUBSCRIPTION2_ID>/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6"
          }
        }
      ]
    }
  }
}

To deploy the ARM template I have a service principal that is assigned the User Access Administator role in mystorage Storage Account. However, when I try to deploy the template via an HTTP request I get:

{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'ef733367-cfbb-4e3c-a300-6e54092a7fa6' of type 'Microsoft.Authorization/roleAssignments'. The client '<ENTERPRISE_APP_CLIENT_ID>' with object id '<ENTERPRISE_APP_CLIENT_ID>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<SUBSCRIPTION2_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Authorization/roleAssignments/ef733367-cfbb-4e3c-a300-6e54092a7fa6'.'."
  }
}

I am using this code to deploy the template:

import requests
import json
from azure.identity import ClientSecretCredential

# Replace these with your Azure details
tenant_id = ""
client_id = ""
client_secret = ""
subscription_id = "<SUBSCRIPTION2_ID>"
resource_group = "<RESOURCE_GROUP>"
deployment_name = "rbac-test"
template_file_path = "rbac_arm.json"

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

token = credential.get_token("https://management.azure/.default")

url = f"https://management.azure/subscriptions/{subscription_id}/resourcegroups/{resource_group}/providers/Microsoft.Resources/deployments/{deployment_name}?api-version=2021-04-01"

with open(template_file_path, 'r') as template_file:
    arm_template = json.load(template_file)

headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {token.token}",
}

payload = {
    "properties": {
        "mode": "Incremental",
        "template": arm_template,
    }
}

response = requests.put(url, headers=headers, json=payload)

if response.status_code == 200:
    print("Deployment started successfully!")
    print(response.json())
else:
    print(f"Error: {response.status_code}")
    print(response.json())

What is going wrong? I've spent several hours trying to debug this without any results. I was able to manually assign the VM managed identity the role but I'd like to be able to do this automated.

• azure

Share Improve this question Follow asked Mar 26 at 17:37 robotguydrobotguyd 1

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Note the error basically says "the service principal doesn't have the role in the resource group".

I think the scope property needs to be above properties:

{
  "properties": {
    "mode": "Incremental",
    "template": {
      "$schema": "https://schema.management.azure/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2022-04-01",
          "name": "ef733367-cfbb-4e3c-a300-6e54092a7fa6",
          "scope": "/subscriptions/<SUBSCRIPTION1_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/mystorage",
          "properties": {
            "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', 'my-vm-1'), '2019-07-01', 'Full').identity.principalId]",
            "principalType": "ServicePrincipal",
            "roleDefinitionId": "/subscriptions/<SUBSCRIPTION2_ID>/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6"
          }
        }
      ]
    }
  }
}

I believe it defaults to resource group scope in this case and your scope was not applied.

本文标签： Permission issue using service principal for RBAC in Azure ARM templateStack Overflow