Azure: Assign Roles via ARM Template to storage container

you need to construct something like this:

resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID

and resourceId is normally being constructed as

type: provider/namespacename: nameprovider/namespace/name

for example, for subnet it would be (notice it takes 1 segment from each line in turn, except for the first one, first one is always 2 segments):

type: microsoft.network/virtualnetworks/subnetsname: vnetName/subnetNamemicrosoft.network/virtualnetworks/vnetName/subnets/subnetName

if that is even possible it would look like something like this:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments","name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID

Made some little adjustments:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments","name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

This way I can assign roles on the container itself. Thanks 4c74356b41 for pointing me in the right direction

Using Erik's answer above (which I've up-voted of course, thx Erik!), I was able to solve the similar issue for RBAC permissions on a Queue of a Storage Account using ARM templates.

Here is an example ARM template for adding Sender role to a single Queue of a Storage Account...

<..snip..>"parameters": {    "PrincipalId": {        "type": "string",        "minLength": 36,        "maxLength": 36    }},"variables": {    "SubscriptionId": "[concat('/subscriptions/', subscription().subscriptionId)]",    "RoleDefinitions": "[concat(variables('SubscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/')]",    "QueueSenderRole": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a"},"resources": [            {        "type": "Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments",        "name": "mystorageaccount/default/myqueue/Microsoft.Authorization/00000000-1234-0000-5678-000000000000", // NB example only; pick an idempotent but unique value        "apiVersion": "2018-09-01-preview",        "properties": {            "roleDefinitionId": "[concat(variables('RoleDefinitions'), variables('QueueSenderRole'))]",            "principalId": "[parameters('PrincipalId')]"        }    }]