0

I am trying to assign "Storage Blob Data Contributor" permissions to the storage account with Azure Devops Pipeline.

I have the configuration:

  • Service Connection : TestSubscription
  • The service connection is member of a group which has contributor RBAC from the subscription level
  • The service connection is created with workloadIdentity.

I am using the Azure Devops task below

- task: AzurePowerShell@5
  displayName: "Set Permissions Storage Account for Service Principal"
  inputs:
    azureSubscription: 'TestSubscription'
    ScriptType: 'FilePath'
    ScriptPath: '$(Pipeline.Workspace)/drop/Scripts/SetStoragePermission.ps1'
    ScriptArguments: '-ResourceGroup $(ResourceGroup) -StorageAccountNameStaticWebApp $(StorageAccountNameStaticWebApp) -ClientIDAppRegistration $(ClientIDAppRegistration) -IDTestSubscription $(IDTestSubscription)'
    azurePowerShellVersion: 'LatestVersion'

The script is:

param(

    [string]$ClientIDAppRegistration,
    [string]$IDTestSubscription,
    [string]$StorageAccountNameStaticWebApp,
    [string]$ResourceGroup

)


New-AzRoleAssignment -ApplicationId $ClientIDAppRegistration -RoleDefinitionName "Contributor" -Scope "/subscriptions/$($IDTestSubscription)/resourceGroups/$($ResourceGroup)/providers/Microsoft.Storage/storageAccounts/$($StorageAccountNameStaticWebApp)/"

I have another repository where this is working. With the same configuration. But in a different repository with the same service connection and same task it is giving me the error.

Improve this question
8
  • 1
    Does your service principal has Microsoft.Authorization/roleAssignments/write permissions assigned at the corresponding scope or higher? Commented Apr 8, 2024 at 17:32
  • @rufer7, no it doesn't. But it confuses me, why does the other repository work and this one does not. I have assigned the roles User administrator and Application Developer Commented Apr 8, 2024 at 17:41
  • Hmm did the assignment in the other repo ever work or was it may assigned manually? Is it the same storage account? Commented Apr 8, 2024 at 17:49
  • @rufer7 , I thought about the same. I deleted the storage account and created a new one from azure devops pipeline, the task for setting the permissions works in the other repository. I need the permissions to upload files to the container from the pipeline. Commented Apr 8, 2024 at 17:57
  • 1
    @rufer7 I assigned the role Storage Blob Data Contributor role to the service principal from the subscription scope. I am skipping the set permission task for now. Thank you for your time. Commented Apr 8, 2024 at 20:34

1 Answer 1

Reset to default
1

The AzurePowerShell@5 used the service principal from service connection to assign the role on the storage account. The Forbidden indicates the service principal permission is not enough.

As you have done, you can fix it by assigning the role Storage Blob Data Contributor role to the service principal from the subscription scope.

For the devops task, i can reproduce the same error when service principal is contributor on the subscription and resource group.

enter image description here

To fix the error, you can add the service principal as the User access Administrator on the resource group.

enter image description here

The pipeline succeeds, and the permission contributor added:

enter image description here

As you are trying to add Storage Blob Data Contributor permissions to the storage account, please change -RoleDefinitionName value as "Storage Blob Data Contributor" in your powershell script.

Run the task again and the Storage Blob Data Contributor permissions added for service principal on storage account.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@wade-zhou-msft Thank you for your time and answer. I deleted the powershell script. it is not needed anymore, because I prefer to have the role "storage blob data contributor" instead of user access administrator. I am not sure, but maybe it is good to mention that assigning the storage blob data contributor role does not require to use powershell anymore. But it is up to you. Thank you very much for your time, i appreciate your help.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.