Azure: Assign Roles via ARM Template to storage container
you need to construct something like this:
resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID
and resourceId is normally being constructed as
type: provider/namespacename: nameprovider/namespace/name
for example, for subnet it would be (notice it takes 1 segment from each line in turn, except for the first one, first one is always 2 segments):
type: microsoft.network/virtualnetworks/subnetsname: vnetName/subnetNamemicrosoft.network/virtualnetworks/vnetName/subnets/subnetName
if that is even possible it would look like something like this:
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments","name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID
Made some little adjustments:
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments","name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"
This way I can assign roles on the container itself. Thanks 4c74356b41 for pointing me in the right direction
Using Erik's answer above (which I've up-voted of course, thx Erik!), I was able to solve the similar issue for RBAC permissions on a Queue of a Storage Account using ARM templates.
Here is an example ARM template for adding Sender role to a single Queue of a Storage Account...
<..snip..>"parameters": { "PrincipalId": { "type": "string", "minLength": 36, "maxLength": 36 }},"variables": { "SubscriptionId": "[concat('/subscriptions/', subscription().subscriptionId)]", "RoleDefinitions": "[concat(variables('SubscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/')]", "QueueSenderRole": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a"},"resources": [ { "type": "Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments", "name": "mystorageaccount/default/myqueue/Microsoft.Authorization/00000000-1234-0000-5678-000000000000", // NB example only; pick an idempotent but unique value "apiVersion": "2018-09-01-preview", "properties": { "roleDefinitionId": "[concat(variables('RoleDefinitions'), variables('QueueSenderRole'))]", "principalId": "[parameters('PrincipalId')]" } }]