How to grant RBAC permissions on resource group in a different subscription using ARM template

Posted on 21.12.2024 by abatishchev

Lately, I don’t get to work on something worth blogging about. Usually it’s either something boring (like compliance) or internal (and hence confidential). But today was a good exception: after my service’s infrastructure has migrated its Key Vaults from access policies to RBAC, I needed to update the ARM template accordingly.

Surprisingly, I was able to find a quickstart tutorial about how to grant the permissions on a resources group. In my case, the caveat is that the target resource group is located in a different subscription. So I had to combine two approaches, the another one being described in this article.

Here’s the resulting template:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string"
    },
    "subscriptionId": {
      "type": "string"
    },
    "resourceGroup": {
      "type": "string"
    },
    "principalId": {
      "type": "string"
    }
  },
  "variables": {
    "contributorGuid": "b24988ac-6180-42a0-ab88-20f7382dd24c", // see https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#privileged
    "contributorResourceId": "[resourceId('Microsoft.Authorization/roleDefinitions/', variables('contributorGuid'))]",
  },
  "resources": [
    {
      "name": "[format('Permissions-ResourceGroup-{0}', parameters('principalId')]",
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2024-11-01",
      "subscriptionId": "[parameters('subscriptionId')]",
      "resourceGroup": "[parameters('resourceGroupName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "name": "[guid(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/resourceGroups', parameters('resourceGroupName')), parameters('principalId')], variables('contributorResourceId')]",
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2022-04-01",
              "location": "[parameters('location')]",
              "properties": {
                "roleDefinitionId": "[variables('contributorResourceId')]",
                "principalId": "[parameters('principalId')]",
                "principalType": "ServicePrincipal"
              }
            }
          ]
        }
      }
    }
  ]
}

Happy deployment, folks!

Posted in Uncategorized | Tagged , , | Leave a comment

This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{63EBCF4C-B326-4539-A3CB-B50746D6C323}’ failed

Posted on 31.10.2022 by abatishchev

If you’re running a code like this:

builder.Services.TryAddSingleton<FabricClient>();

In a Service Fabric application locally and getting an error:

System.InvalidCastException:
Unable to cast COM object of type ‘System.__ComObject’ to interface type ‘IInternalFabricClusterManagementClient2’.
This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{63EBCF4C-B326-4539-A3CB-B50746D6C323}’ failed due to the following error: No such interface supported (0x80004002 (E_NOINTERFACE)).’

First what you need to do is to convert it to something like this:

builder.Services.TryAddSingleton<FabricClient>(_ => new FabricClient());

The exception’s call site would be located in the user’s code, not the framework’s so you could see the actual exception and its stack trace.

The exception likely occurs because the NuGet package referenced from the Service Fabric service project, e.g.:

<PackageReference Include="Microsoft.ServiceFabric" Version="9.1.1390" />

Has diverged from the Service Fabric SDK installed locally, e.g:

You need to install the matching SDK version from here.

Posted in Programming | Tagged | 1 Comment

Carnation Anapa Winery, vol 4, day 23: racking (cont’d)

Posted on 30.10.2022 by abatishchev

I racked the bucket with Petit Verdot and got about 3 gallons. Now it seats half-empty and I need to decide what to do with it: pour into three 1-gallon carboys or top off with similar retail wine or something else.

I also racked the carboy with Malbec and added 5 French oak spheres. But first I soaked them in a bowl of boiled water to kill any germs.

Posted in Winemaking | Leave a comment

Carnation Anapa Winery, vol 4, day 22: racking

Posted on 29.10.2022 by abatishchev

Since specific gravity fell below 1.000, I decided to rack the first bucket of Malbec. And then racked the second to finish it all off. I got 5 + 1 gallons in two glass carboys.

Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 3, day 19: specific gravity (cont’d)

Posted on 26.10.2022 by abatishchev

Few days have passed and I’m remeasuring specific gravity:

  • Malbec 1: 0.996
  • Malbec 2: 1.006
  • Petit Verdot: 1.000
Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 3, day 16: specific gravity

Posted on 23.10.2022 by abatishchev

The crust that forms on top of the must got less thick and intense past few days so I decided to measure specific gravity.

  • Malbec #1: 0.996
  • Malbec #2: 1.022
  • Petit Verdot: 1.020
Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 4, day 5: yeast

Posted on 12.10.2022 by abatishchev

I’m adding yeast to the first bucket of Malbec. This time it’s again RC-212. And then I’ll use EC-1118 for Petit Verdot.

Update: I had to add another bag of EC-1118 as after the first time there was no reaction for 2 days. Nah, I won’t use it again next time.

Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 4, day 4: Potassium Metabisulfite

Posted on 11.10.2022 by abatishchev

Based on my experience two years ago, adding Potassium Metabisulfite was worth it. So I’m adding adding 3 x ⅛ what’s equal to 1.5 x ¼ tsp per 5-gallon bucket. Then I’ll keep a half-open lid and wait ~24h before adding yeast.

Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 4, day 3: weighing

Posted on 10.10.2022 by abatishchev

Some precalculations:

  • My weight: 76.30 kg
  • Combined: 77.45 kg
  • Empty bucket: 1.15 kg

Bucket #1 (PV):

  • Combined: 88.95 kg
  • Grapes: 11.5 kg

Bucket #2 (PV):

  • Combined: 88.45 kg
  • Grapes: 11.0 kg

Bucket #3 (M):

  • Combined: 87.55 kg
  • Grapes: 10.1 kg

Container (M) which is about of 3 buckets:

  • Combined: 108.25 kg
  • Grapes: 30.8 kg

Total:

  • Petit Verdot: 22.5 kg (49.6 lbs)
  • Malbec: 40.9 (90.2 lbs)
  • Combined: 63.4 kg (139.8 lbs)
Posted in Winemaking | Tagged | Leave a comment

Carnation Anapa Winery, vol 4, day 1: The corner row

Posted on 9.10.2022 by abatishchev

It’s that time of year when I drive to my friends at Carthage Vineyard in Zillah, WA and pick some leftovers after the harvest, from now-famous corner row. Why famous? Because last time I’ve picked from the same row and it worked out very well, the wine was great according to few local wine makers and grape growers who blindly tasted it. It’s a very valuable and high mark to me!

This year the harvest is late, it’s October 6th and two years ago I went there on September 18th. It’s an abnormal year: first, the spring was very cold and wet, broke multiple anti-records. And now the fall is very dry, the region is devasted by wildfires. It’s smoky on the both sides of the mountains.

What I’ve picked this time: 2 buckets of Petit Verdot and 4 buckets of Malbec. The links are mostly for myself to learn more about these two varieties.

Posted in Winemaking | Tagged | Leave a comment