Step 3) Assign Roles

Azure Resource Manager templates do not support role assignments at a scope other than resource groups. Perform the following role assignments through UI or CLI.

Make sure that you have your note from the previous step, where you copied values for the Subscription ID, resource group name, storage account, and environment name.
  1. From the Overview page of your resource group, find the Object IDs of each of the four "Managed Identity" resources in your resource group. Click each of the 4 managed identity resources to expand their details. Copy the Object ID of each of the resources and paste them into your note with the values you collected previously.




  2. Once you have values for the subscription ID, resource group name, storage account, environment name, and all four managed identities, click here to download a script.
  3. Create a new file in Cloud Shell with the same name, and copy the content of the script there.
  4. Replace the values in the script with the values you have collected thus far. Note that in the script, "envName" should be replaced with the environment name you provided.


    For example, your script should look something like this:

    #!/bin/sh
    
    export SUBSCRIPTIONID=jfs85ls8-sik8-8329-fq0m-jqo7v06dk5sy
    export RESOURCEGROUPNAME=azure-quickstart-test1
    export STORAGEACCOUNTNAME=cdpazureqs
    export ASSUMER_OBJECTID=cdpazureqs-Assumer-jd85mvh9-u86n-8j2d-54dg-jd72j5ki1sd2
    export DATAACCESS_OBJECTID=cdpazureqs-DataAccess-peyc86sk346c-yj12-ys89-ye5m-zt6wlv95fi23
    export LOGGER_OBJECTID=cdpazureqs-Logger-f63ucn04-hf52-rq87-b6gd-v86fds9ptk3g
    export RANGER_OBJECTID=cdpazureqs-Ranger-gc86d0uq-l6o4-vx67-qh87-1jf74l0cbeq7
    
    # Assign Managed Identity Operator role to the assumerIdentity principal at subscription scope
    az role assignment create --assignee $ASSUMER_OBJECTID --role 'f1a07417-d97a-45cb-824c-7a7467783830' --scope "/subscriptions/$SUBSCRIPTIONID"
    # Assign Virtual Machine Contributor role to the assumerIdentity principal at subscription scope
    az role assignment create --assignee $ASSUMER_OBJECTID --role '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' --scope "/subscriptions/$SUBSCRIPTIONID"
    
    # Assign Storage Blob Data Contributor role to the loggerIdentity principal at logs filesystem scope
    az role assignment create --assignee $LOGGER_OBJECTID --role 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/logs"
    # Assign Storage Blob Data Owner role to the dataAccessIdentity principal at logs/data filesystem scope
    az role assignment create --assignee $DATAACCESS_OBJECTID --role 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/data"
    az role assignment create --assignee $DATAACCESS_OBJECTID --role 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/logs"
    # Assign Storage Blob Data Contributor role to the rangerIdentity principal at data filesystem scope
    az role assignment create --assignee $RANGER_OBJECTID --role 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/data"
  5. Run the Cloud Shell script: sh azure_msi_role_assign.sh