Apply Azure RBAC to a resource using ARM
The key is to drop the scope
property, and instead nest the role assignment under the desired resource by using Microsoft.FooResource/BarSubType/providers/roleAssignments
as the type, and using the following format for the name: {resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}
. Note that the GUID should be stable but unique to this role assignment, one easy option is guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish')
.
Here is a template that shows you how to apply RBAC to a single resource, using a user-assigned managed identity defined in the same template:
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountName": { "type": "string" }, "userAssignedIdentityName": { "type": "string" } }, "variables": { "ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "name": "[parameters('userAssignedIdentityName')]", "location": "[resourceGroup().location]", "apiVersion": "2018-11-30" }, { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('storageAccountName')]", "location": "[resourceGroup().location]", "apiVersion": "2016-12-01", "sku": { "name": "Standard_LRS" }, "kind": "Storage", "resources": [ { "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", "apiVersion": "2017-05-01", "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]", "properties": { "roleDefinitionId": "[variables('ContributorRoleDefinition')]", "principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]" ] } ] } ]}
Source: https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/
You apply RBAC rules at the resource level via an ARM and there is example template that applies RBAC rules at Azure VM here:
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "principalId": { "type": "string", "metadata": { "description": "Principal ID associated with the subscription ID" } }, "virtualMachineName": { "type": "string", "metadata": { "description": "Name of the virtual machine" } }, "builtInRoleType": { "type": "string", "metadata": { "description": "Built In Role Type for the Virtual Machine" }, "allowedValues": [ "Owner", "Contributor", "Reader", "Virtual Machine Contributor" ] }, "guid": { "type": "string", "metadata": { "description": "A new GUID used to identify the role" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } } }, "variables": { "Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", "Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", "resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]" }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/providers/roleAssignments", "apiVersion": "2017-05-01", "name": "[variables('resourceName')]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[parameters('principalId')]" } } ]}
Hope this will help you.
It is possible to apply RBAC on resource level using ARM.
The example what you referred shows how to apply RBAC on a particular resource group, where the scope is the path of the resource group.
Here, you are trying to assign a role to a particular resource. Changing the scope from resource group to resource (AppInsights) will work.
From the exception, I can see that the path of the resource may not be in the expected format.
The path of AppInsights should be in the following format,
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}
Hope framing the scope like this helps!