How to grant RBAC permissions on resource group in a different subscription using ARM template

Posted on 21.12.2024 by abatishchev

Lately, I don’t get to work on something worth blogging about. Usually it’s either something boring (like compliance) or internal (and hence confidential). But today was a good exception: after my service’s infrastructure has migrated its Key Vaults from access policies to RBAC, I needed to update the ARM template accordingly.

Surprisingly, I was able to find a quickstart tutorial about how to grant the permissions on a resources group. In my case, the caveat is that the target resource group is located in a different subscription. So I had to combine two approaches, the another one being described in this article.

Here’s the resulting template:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string"
    },
    "subscriptionId": {
      "type": "string"
    },
    "resourceGroup": {
      "type": "string"
    },
    "principalId": {
      "type": "string"
    }
  },
  "variables": {
    "contributorGuid": "b24988ac-6180-42a0-ab88-20f7382dd24c", // see https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#privileged
    "contributorResourceId": "[resourceId('Microsoft.Authorization/roleDefinitions/', variables('contributorGuid'))]",
  },
  "resources": [
    {
      "name": "[format('Permissions-ResourceGroup-{0}', parameters('principalId')]",
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2024-11-01",
      "subscriptionId": "[parameters('subscriptionId')]",
      "resourceGroup": "[parameters('resourceGroupName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "name": "[guid(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/resourceGroups', parameters('resourceGroupName')), parameters('principalId')], variables('contributorResourceId')]",
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2022-04-01",
              "location": "[parameters('location')]",
              "properties": {
                "roleDefinitionId": "[variables('contributorResourceId')]",
                "principalId": "[parameters('principalId')]",
                "principalType": "ServicePrincipal"
              }
            }
          ]
        }
      }
    }
  ]
}

Happy deployment, folks!

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.