This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 76%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
We are trying to assign a user-assigned managed identity to a storage account using Microsoft.Authorization/roleAssignments@2018-01-01-preview resource but it is failing and giving an error if the role already exists. we need to ignore the error to proceed ahead with bicep deployment. Is there any way to check if that role already exists on the resource and skip the assignment?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 88%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
We also got the same problem - seems like such a beginner issue, I can't believe MS didn't think of providing a solution for it. When auto-deployments fail at the second run because a role already exists and I cannot skip the step, then they are not much of an auto-deployment...
@Kuldeep Bhatt
Thank you for your post and I apologize for the delayed response!
For the RBAC side of things, if you're receiving an error similar to the below when deploying your resources with Bicep, you can check if the role already exists on the resource by navigating to Access Control (IAM).
Failed to add Role assignment:
Failed to add <<user-assigned managed identity name>> as <<RBAC role>> for <<Resource>>: The role assignment already exists
Check Role Assignment: Depending on the scope (Resource Group, Resource, etc.) that you're trying to assign the RBAC role at.
Access control (IAM). Role Assignments 
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi @JamesTran-MSFT
Thanks for sharing the answer, Actually I am using bicep for the deployment of resources and I have written bicep code for it. Actually, the thing is when I run the script for the first time it is getting succeeded and after that, I am changing some properties and run the bicep script another time giving the error, Ideally, it should check if role-assignment is already there it should ignore it. Due to this the bicep deployment is getting failed.
@Kuldeep Bhatt
Thank you for following up on this!
I'm not too familiar with Bicep however, we do have a dedicated Azure-Bicep forum on Stack Overflow if you need assistance troubleshooting/ modifying your Bicep File.
For the RBAC side of things, here are some questions to consider to hopefully help avoid your bicep deployment failures due to RBAC.
Are you deploying multiple resources into one resource group?
Does the user(s) need access/control over all the resources being deployed?
Is the RBAC role being assigned at the resource group level?
Additional Links:
Best practices for Azure RBAC
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Kuldeep Bhatt
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 49%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
@JamesTran-MSFT
This Azure-Bicep forum on Stack Overflow link doesn't give exact answer, but it show lots of option.
Me too facing the same problem and I deep dive into microsoft docx and found nothing.
Can you please help us!
No luck.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 84%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Answer does not address the issue. My bicep code can't go and look at the portal gui interface. I need code to add to my bicep to skip role creation if the role already exists. Need a code solution, not a go use the gui solution. Please provide complete start to finish solutions in bicep. Lack of useful complete bicep examples is frustrating. I don't believe that Microsoft understands how their customers are attempting to use their system and their efforts, documentation, proposed soutions do not match what we need.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 21%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
Gotta agree. Bicep is supposed to deal with this stuff - if a resource already exists, bicep of course doesn't give an error. It's meant to be rerun each time we want to deploy our apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQR%3C/text%3E%3C/svg%3E)
Any updates here? I just ran into the same exact problem. I'm using version Microsoft.Authorization/roleAssignments@2022-04-01 of the resource.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 33%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
I have the same problem, second deployment fails - I'm using a Group rather that a managed identity.
The role assignment name is constant between deployments so it should check if it already exists?
The group I am adding is a contributor on the Resource Group.
I can successfully give managed identities and users the same role on the same storage account via the same method in bicep!
var groupBlobDataReaderUniqueGuid = '0683f386-f9cc-4d28-b7be-71e9a1156009'
var azureRBACStorageBlobDataContributorRoleID = 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
resource r_storageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid(groupBlobDataReaderUniqueGuid, subscription().subscriptionId, resourceGroup().id)
scope: r_storage
properties:{
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', azureRBACStorageBlobDataContributorRoleID)
principalId: groupADObjectId
principalType:'Group'
}
}
This is the error message
{
"error": {
"code": "RoleAssignmentExists",
"message": "The role assignment already exists."
}
} (Code:Conflict)
Frustrating!
After a bit more troubleshooting I realised a teammate had manually created the role assignment. The weird thing here is that the first bicep deploy still succeeds and you end up with 2 role assignments the same. Its only on the second bicep deploy it errors with the conflict!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 80%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
I found the answer here: https://learn.microsoft.com/en-us/answers/questions/1007498/microsoft-authorization-roleassignments-devops-ci
In the end I am testing now with unique resource name for each rerun with guid(utcNow())
How then are you cleaning up all of the resources from previous runs?
Hi Michael you don't need to cleanup resources from previous runs, only think required is that role assignment name needs to be unique on each run :( This issue is there only for role assignments. But it's long time when i was implementing this.
var var_RoleAssigmentName = utcValue
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(var_RoleAssigmentName)