Related
I’m working on to assign the Contributor role to multiple azure resources like Azure Function App, Azure App Service & Application Insights etc using ARM templates.
For that, I have used the below lines of code:
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('roleNameGuidForFunctionApp')]",
"scope": "[concat('Microsoft.Web/sites/',parameters('functionAppName'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
],
"properties": {
"roleDefinitionId": "[variables('ContributorGroupRoleId')]",
"principalId": "[parameters('principalId')]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('roleNameGuidForAI')]",
"scope": "[concat('microsoft.insights/components/',parameters('applicationInsightsName'))]",
"dependsOn": [
"[resourceId('microsoft.insights/components', parameters('applicationInsightsName'))]"
],
"properties": {
"roleDefinitionId": "[variables('ContributorGroupRoleId')]",
"principalId": "[parameters('principalId')]"
}
}
The above code is working fine. But I want to use looping concept to assign Contributor role to multiple azure resources.
So, please suggest me how to do it
I have followed this documentation to use the concept of Resource iteration in ARM templates.
This is my template file:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleAssignments": {
"type": "array",
"metadata": {
"description": "An array that contains objects with properties for assigning roles to multiple resources"
}
}
},
"variables": {
"ContributorRoleId": "[resourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('roleAssignments')[copyIndex('roleAssignments')].roleName]",
"scope": "[concat(parameters('roleAssignments')[copyIndex('roleAssignments')].resourceProviderName,parameters('roleAssignments')[copyIndex('roleAssignments')].resourceName)]",
"copy": {
"name": "roleAssignments",
"count": "[length(parameters('roleAssignments'))]"
},
"properties": {
"roleDefinitionId": "[variables('ContributorRoleId')]",
"principalId": "[parameters('roleAssignments')[copyIndex('roleAssignments')].principalId]"
}
}
],
"outputs": {}
}
This is my parameters file:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleAssignments": {
"value": [
{
"roleName": "d37a0ae3-303e-4492-b4df-f1f11b2769f2",
"principalId": "xxxxxxxxxxxxxxxxxxxxxxx",
"resourceProviderName": "Microsoft.Web/sites/",
"resourceName":"xxxxxxxxxxxxxxxxxxx"
},
{
"roleName": "7be3e964-a62c-46f3-a1b8-ed355b85a11d",
"principalId": "xxxxxxxxxxxxxxxxxx",
"resourceProviderName": "Microsoft.Insights/components/",
"resourceName":"xxxxxxxxxxxxxxxxxxx"
}
]
}
}
}
I have a MSI in 'x' RG. I am able to set its scope to the RG.
Question is- I want to add the MSI scope to another RG - "xx" as well using templates. Below is my template snippet:
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('msi_name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[guid(resourceGroup().id)]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "resourceGroup().id"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourcegroups/','xx')]"
}
}
Getting following error everytime -
/subscriptions//resourceGroups/xx' must match the scope specified on the URI '/subscriptions//resourcegroups/x'."
Both RGs are in same subscription.
you need to wrap the second role assignment with a deployment into another rg:
{
"type": "Microsoft.Resources/deployments",
"name": "subnet-role-assignment",
"apiVersion": "2017-05-10",
"resourceGroup": "second_rg_name",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"expressionEvaluationOptions": {
"scope": "inner"
},
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(resourceId('first_rg_name', 'Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))).principalId]",
"scope": "[resourceGroup().id]"
}
}
]
}
}
}
I'm having trouble referencing a user assigned identity that I create alongside a KeyVault instance within the same template. I've searched through documentation on how to reference managed identities in general and I believe it looks like the following:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId
However, this doesn't work for me and I'm not sure if it has something to do with deploying my templates at the subscription scope. I'm currently using linkedTemplates so that I can organize my code better and have a main template like the following:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {},
"resources": [
{
"apiVersion": "2020-06-01",
"location": "[variables('location')]",
"name": "key-vault-test”,
"properties": {
"mode": "Incremental",
"parameters": { },
"templateLink": {
"relativePath": “vault.json"
}
},
"type": "Microsoft.Resources/deployments"
}
],
}
Next, vault.json is as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
…
},
"resources": [
{
"apiVersion": "2018-05-01",
"location": “[…..]”,
"name": "key-vault",
"type": "Microsoft.Resources/resourceGroups"
},
{
"apiVersion": "2020-06-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
],
"name": “user-assigned-identity-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-11-30",
"location": “[…]”,
"name": “myIdentity”,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
},
{
"apiVersion": "2020-06-01",
"name": "key-vault-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-02-14",
"location": “[…]”,
"name": "[concat('key-vault-', uniqueString(subscription().id))]",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get",
"list"
]
},
"tenantId": "[subscription().tenantId]"
}
],
"enableSoftDelete": true,
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]"
},
"type": "Microsoft.KeyVault/vaults"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
}
],
"variables": {
"keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
}
}
When I deploy the main template, the reference function that I've crafted returns me the deployment of the keyVault and not the managed identity at all.
'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation
I'm not sure if I'm doing something wrong or if there's a better way to do this. In summary, I'm attempting to create a user assigned identity and create a key vault with access policies for that identity in the same template.
If you want to get the principalId of the user assigned identity, you need to use the following expression. For more details, please refer to here
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
for example
my template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
I got the same error but I had forgotten to assign a managed identity to my resource in the ARM template like:
"identity": {
"type": "SystemAssigned"
},
Example:
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[variables('uniqueResourceNameBase')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": { ... }
}
After doing this I could use .identity.principalId.
Source:
https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
You can also manually set it in Azure Portal under your service -> Identity.
A system assigned managed identity is restricted to one per resource
and is tied to the lifecycle of this resource. You can grant
permissions to the managed identity by using Azure role-based access
control (Azure RBAC). The managed identity is authenticated with Azure
AD, so you don’t have to store any credentials in code. Learn more
about Managed identities.
I am creating an ARM template that deploys a lot of resources in different resource groups. Actually, the resource groups themselves are part of the deployment. In a simple version, I create only two resource groups (masterRG and dependentRG), and then create two nested (inline) deployments. The first inline deployment puts a storage account (testsadj1604) in masterRG. This deployment is dependent on masterRG.
The second deployment creates a keyvault and tries to store a connectionstring from testsadj1604 in that vault.
In my real case, I have more resourceGroups and I actually try deploy a Function App that has the connectionstring as 'appsetting'. The methodology is the same though.
The error I get is the following:
Deployment failed. Correlation ID: 9c359e8e-8657-4756-a5a3-f9c5698fbb46. {
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Storage/storageAccounts/testsadj1604' under resource group '<null>' was not found."
}
}
This is my code:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "masterRG",
"location": "West Europe",
"properties": {}
},
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "dependentRG",
"location": "West Europe",
"properties": {}
},
{
"name": "masterRgDeployment",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"resourceGroup": "masterRG",
"dependsOn": [
"masterRG"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-06-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "testsadj1604",
"location": "West Europe",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
]
}
}
},
{
"name": "dependentRgDeployment",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"resourceGroup": "dependentRG",
"dependsOn": [
"dependentRG",
"masterRgDeployment"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "kvaNameTest1604",
"apiVersion": "2015-06-01",
"location": "West Europe",
"properties": {
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"objectId": "fc05639d-70eb-4175-a89b-eab7f883c691",
"tenantId": "[subscription().tenantId]",
"permissions": {
"keys": [
"get",
"list",
"update"
],
"secrets": [
"get",
"list",
"update"
]
}
}
],
"sku": {
"name": "Standard",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "kvaNameTest1604/saConnectionString",
"apiVersion": "2018-02-14",
"location": "West Europe",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'kvaNameTest1604')]"
],
"properties": {
"value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', 'testsadj1604'), '2019-06-01').keys[0].value]"
}
}
]
}
}
}
]
}
I am pretty sure the error comes from the listKeys() at the bottom, going on my daylong trial-and-error (and Google frenzy) in my real template. Using listKeys() and nested deployments is a drag, but I really don't see why it shouldn't work. I made sure there is a dependsOn in the second deployment.
This is wrecking my brain, is there any way I can use nested (inline) templates and reference the storage account keys that are in a different resourcegroup (but part of the overall deployment)? I also tried to create an output in the first deployment and reference that in the second but that had no effect. I am at a total loss, any help is welcome!
There are a few things you need to do for this to work in a single template:
on your keyvault secret deployment set this property:
"expressionEvaluationOptions": {
"scope": "inner"
},
That will delay evaluation of the expression until that deployment begins.
when you set #1, you need to define parameters for the values you need (you can no longer use "global" params/vars), you could hardcode all the strings like in your example, but I'm guessing that's not what you do in the "real" deployment. Define the params and pass the values into that deployment.
your listKeys() call needs to include the full resourceId of the storageAccount, since it is in a separate/distinct deployment - so you need to provide the resourceGroup name param - if you cross subscriptions in the deployment (your sample didn't) you need to provide the subscriptionId param.
Below is a working example...
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"defaultValue": "[concat('scratch', uniqueString(newGuid()))]"
}
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "masterRG",
"location": "West Europe",
"properties": {
}
},
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "dependentRG",
"location": "West Europe",
"properties": {
}
},
{
"name": "masterRgDeployment",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"resourceGroup": "masterRG",
"dependsOn": [
"masterRG"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-06-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"location": "West Europe",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
]
}
}
},
{
"name": "dependentRgDeployment",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"resourceGroup": "dependentRG",
"dependsOn": [
"dependentRG",
"masterRgDeployment"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters":{
"storageAccountName": {
"value": "[parameters('storageAccountName')]"
},
"storageAccountResourceGroupName": {
"value": "masterRG"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"storageAccountResourceGroupName": {
"type": "string"
}
},
"variables": {
"vaultName": "[concat('kv-', parameters('storageAccountName'))]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('vaultName')]",
"apiVersion": "2019-09-01",
"location": "West Europe",
"properties": {
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"tenantId": "[subscription().tenantId]",
"accessPolicies": [ ],
"sku": {
"name": "Standard",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(variables('vaultName'), '/saConnectionString')]",
"apiVersion": "2019-09-01",
"location": "West Europe",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('vaultName'))]"
],
"properties": {
"value": "[listKeys(resourceId(parameters('storageAccountResourceGroupName'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01').keys[0].value]"
}
}
]
}
}
}
]
}
So, I am trying to do the following with an ARM template:
Create a new User-assigned Managed Identity (my-managed-identity) in Resource Group my-rg
Assign my-managed-identity the Reader role for my-rg
Assign the role Managed Identity Operator to an AKS Service Principal (my-aks-sp) in my-managed-id
Here is my ARM template to do so:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"aksServicePrincipalObjectId": {
"type": "string",
"metadata": {
"description": "The Object Id for the AKS Cluster Service Principal"
}
},
},
"variables": {
"managedIdentityName": "my-managed-identity",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
"name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
"apiVersion": "2018-09-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('managedIdOperatorRole')]",
"principalId": "[parameters('aksServicePrincipalObjectId')]"
}
}
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(variables('managedIdentityName'))]",
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('readerRole')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]"
}
}
]
}
The weird thing is that sometimes this deployment doesn't work. I will more often than not get the error:
New-AzResourceGroupDeployment : 2:56:07 PM - Resource Microsoft.Authorization/roleAssignments 'd62bb9a1-bf0b-5a92-aca1-74beab087ee9' failed with message '{
"error": {
"code": "PrincipalNotFound",
"message": "Principal fad453d06bd042148411606b74525ed2 does not exist in the directory 936529098-bafa-4c91-b54f-f012cc11eeec."
}
}
Am I missing something here?
This documentation from Microsoft solved my problem.
Here is my complete template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"aksServicePrincipalObjectId": {
"type": "string",
"metadata": {
"description": "The Object Id for the AKS Cluster Service Principal"
}
},
},
"variables": {
"managedIdentityName": "my-managed-identity",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
"name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
"apiVersion": "2018-09-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('managedIdOperatorRole')]",
"principalId": "[parameters('aksServicePrincipalObjectId')]",
"principalType": "ServicePrincipal" // This solved my issue
}
}
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(variables('managedIdentityName'))]",
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('readerRole')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]",
"scope": "[resourceGroup().id]" //This is what I added to get it to work!
}
}
]
}