Share via

I am owner at subscription level, but unable to assign the roles in Storage Blob Container.

Trina Singha Roy 0 Reputation points Microsoft Employee
2024-08-02T20:35:49.6366667+00:00

Getting this error while assigning roles :
Failed to add Trina Singha Roy as Storage Blob Data Owner for auditservicea6dd : The client 'trsingha@microsoft.com' with object id '83944f6a-7418-4fcf-a1a5-3d8d86e52991' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/6065d141-be04-4257-9004-a67003031898/resourceGroups/Audit-Service/providers/Microsoft.Storage/storageAccounts/auditservicea6dd/providers/Microsoft.Authorization/roleAssignments/eba8b2e2-b00b-4f21-baf2-c33e939fe567' or the scope is invalid. If access was recently granted, please refresh your credentials..

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 21,881 Reputation points
    2024-08-05T01:25:25.46+00:00

    Hi Trina Singha Roy,

    Thanks for reaching out to Microsoft Q&A.

    The error message regarding the failure to add you as a Storage Blob Data Owner indicates that there is an issue related to authorization. Specifically, the client has an Attribute-Based Access Control (ABAC) condition that is not met for the action Microsoft.Authorization/roleAssignments/write at the specified scope. ABAC is an authorization mechanism that extends Role-Based Access Control (RBAC) by adding conditions based on attributes of the resource, user, or environment. This could be due to several reasons:

    1. ABAC Conditions Not Met: The ABAC conditions set for the client may not align with the requirements for the role assignment. Review the conditions defined in the policy to ensure they are fulfilled.
    2. Invalid Scope: The scope specified for the role assignment might be incorrect or invalid. Ensure that the resource ID and hierarchy are correctly specified.
    3. Recent Access Changes: If access permissions were recently modified, it may take some time for those changes to propagate. Refreshing credentials may help in this case.

    To resolve this issue, consider the following steps:

    • Verify the ABAC conditions for your id and ensure they are aligned with the role assignment requirements.
    • Double-check the scope of the role assignment to confirm it is valid.
    • If changes were made recently, refresh the credentials and attempt the role assignment again.
      • az account clear
      • az login

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    0 comments
  2. Nehruji R 7,811 Reputation points Microsoft Vendor
    2024-08-05T10:52:33.1733333+00:00

    Hello Trina Singha Roy,

    Greetings! Welcome to Microsoft Q&A Platform.From the error message it is understood that you are currently signed in with a user that does not have permission to assign roles at the selected scope. To create role assignments, you need to assign either User Access Administrator or Owner role to your service principal that includes this permission: "Microsoft.Authorization/roleAssignments/write".  Assign Owner role to the service principal under subscription.

     

    If you are assigning your service principal Owner role under subscription to resolve the issue, it's better to create custom RBAC role with "Microsoft.Authorization/roleAssignments/write" permission and assign this role to the application.

     

    Role Based Access Control Administrator manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. Check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Role Based Access Control Administrator at the scope you are trying to assign the role. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#role-based-access-control-administrator

     

    There may be restrictions on the role assignments view the role assigned to you https://learn.microsoft.com/en-us/azure/role-based-access-control/check-access

     

    A similar issue is discussed in the Answer section of the following SO thread: https://stackoverflow.com/questions/75185362/authorizationfailed-creating-role-assignments-in-azure

      

    Similar post: https://learn.microsoft.com/en-us/answers/questions/287573/authorization-failed-when-when-writing-a-roleassig

     

     

    Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

     Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.