Role Assignment "New-AzRoleAssignment" for Azure Blob Storage is failing using powershell script

Question

Role Assignment "New-AzRoleAssignment" for Azure Blob Storage is failing using powershell script

sachin gupta 376

Below is my scenario for which I have created a power shell task in Azure DevOps pipeline

Scenario= I am trying to query the files from ADLS blob storage in azure synapse workspace. To do this I need to grant "Storage Blob Data Reader" Role to my ADLS blob storage to run/query the data(csv/parquet) files in synapse Workspace. I have run the below script in power shell task in azure Devops pipeline and getting below error.

Script:

New-AzRoleAssignment -ObjectID "xxxxxxxxxxxxxxxx" -RoleDefinitionName "Storage Blob DataReader"
-Scope "/subscriptions/AAAAA/resourceGroups/BBBBBB/providers/Microsoft.Storage/storageAccounts/XXXXXXXX"

I have passed Object ID (tried both App ID, Object ID of the service principal ),Subscription id, resource group name and storage account.

Error:

operation returned an invalid status code 'Forbidden' . Power shell exited with code '1'

PFA screenshot.

I am not really sure what I am missing here. Please share your valuable suggestions.

Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-11-11T19:33:09.313+00:00
Hello @sachin gupta ,

Welcome to the MS Q&A platform.

It seems like the issue appears to be with the scope parameter. The scope parameter must contain the resourceID where the assignment is applied.
Can you please change the scope parameter below and try again?

-Scope /subscriptions/XXXXXXXXXXXXXXXXX

New-AzRoleAssignment -ObjectID "xxxxxxxxxxxxxxxx" -RoleDefinitionName "Storage Blob DataReader" - Scope"/subscriptions/XXXXXXXX"
sachin gupta 376 Reputation points

2022-11-14T13:09:43.923+00:00

@Bhargava-MSFT Thank you for the response.

I did not understand what resourceId you are talking about. I need to apply this assignment to the blob storage and there is no such resourceId of the blob storage, that is why I have given subscriptionId, type of the resource and the storage account name. Am I missing something?

Thanks,
Sachin
sachin gupta 376 Reputation points

2022-11-14T13:10:57.503+00:00

This is what I followed https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell#assign-a-role-for-all-blob-containers-in-a-storage-account-resource-scope
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-11-14T20:09:17.547+00:00

Hello @sachin gupta ,
I know it is best practice to grant access with the least privilege that is needed. but, since you are using the PowerShell task in the Azure DevOps pipeline, I believe your service principal needs access at the subscription level too.
Please try changing the scope to the subscription level and see if it fixes the issue.
sachin gupta 376 Reputation points

2022-11-15T23:37:51.367+00:00

Hi @Bhargava-MSFT

I have tried the same suggestion you mentioned above. first tried to give the reader role to subscription, bjt i am getting same error. PFB, details.
script:
New-AzRoleAssignment -ObjectID "xxxxxxxxxx" `
-RoleDefinitionName "Storage Blob DataReader"
-Scope "/subscriptions/AAAAA"

Error : operation returned an invalid status code 'Forbidden' . Power shell exited with code '1'

Please guide me if I am missing anything.
Matt Reid 25 Reputation points

2023-10-23T11:09:16.1433333+00:00

I received the same "Bad Request" error as well and mine was because I was using the wrong Object ID number. Hope this helps.

2 answers

Your answer

Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-11-11T19:33:09.313+00:00

Hello @sachin gupta ,

Welcome to the MS Q&A platform.

It seems like the issue appears to be with the scope parameter. The scope parameter must contain the resourceID where the assignment is applied.
Can you please change the scope parameter below and try again?

-Scope /subscriptions/XXXXXXXXXXXXXXXXX

New-AzRoleAssignment -ObjectID "xxxxxxxxxxxxxxxx" -RoleDefinitionName "Storage Blob DataReader" - Scope"/subscriptions/XXXXXXXX"
sachin gupta 376 Reputation points

2022-11-14T13:09:43.923+00:00

@Bhargava-MSFT Thank you for the response.

I did not understand what resourceId you are talking about. I need to apply this assignment to the blob storage and there is no such resourceId of the blob storage, that is why I have given subscriptionId, type of the resource and the storage account name. Am I missing something?

Thanks,
Sachin
sachin gupta 376 Reputation points

2022-11-14T13:10:57.503+00:00

This is what I followed https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell#assign-a-role-for-all-blob-containers-in-a-storage-account-resource-scope
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-11-14T20:09:17.547+00:00

Hello @sachin gupta ,
I know it is best practice to grant access with the least privilege that is needed. but, since you are using the PowerShell task in the Azure DevOps pipeline, I believe your service principal needs access at the subscription level too.
Please try changing the scope to the subscription level and see if it fixes the issue.
sachin gupta 376 Reputation points

2022-11-15T23:37:51.367+00:00

Hi @Bhargava-MSFT

I have tried the same suggestion you mentioned above. first tried to give the reader role to subscription, bjt i am getting same error. PFB, details.
script:
New-AzRoleAssignment -ObjectID "xxxxxxxxxx" `
-RoleDefinitionName "Storage Blob DataReader"
-Scope "/subscriptions/AAAAA"

Error : operation returned an invalid status code 'Forbidden' . Power shell exited with code '1'

Please guide me if I am missing anything.
Matt Reid 25 Reputation points

2023-10-23T11:09:16.1433333+00:00

I received the same "Bad Request" error as well and mine was because I was using the wrong Object ID number. Hope this helps.

Answer 1

Bhargava-MSFT 31,261 Microsoft Employee Moderator

Hello @sachin gupta ,
Looks like the issue is with the syntax. Can you please update the -Roledefinitionname to below? (with space between Data and Reader)

-RoleDefinitionName "Storage Blob Data Reader"

Please see the below screenshot. I was able to create a new role assignment with the below syntax:

New-AzRoleAssignment -ObjectId 'XXX-XX-XX-XXX-XXXX' -RoleDefinitionName  'Storage Blob Data Reader' -Scope /subscriptions/XX-XX-XXX-XXX-XXX/

sachin gupta 376 Reputation points

2022-11-17T16:05:50.523+00:00

@Bhargava-MSFT .. thank you for the response. I tried it again after correcting the role definition but got the same error. PFA, screenshots
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-11-17T17:59:09.437+00:00

Hello @sachin gupta ,

Thanks for the reply. Could you please check whether you are passing the correct objectID in the command?

As per this forum, the issue was due to the incorrect object(resolved by fixing the object ID).

When I use the incorrect object ID from the portal, I see the error message: New-AzRoleAssignment: Operation returned an invalid status code 'BadRequest'

In case if this still didn't resolve the issue, I would suggest filing a support request and a support engineer can take a deeper look to troubleshoot the issue further. If you don't have a support plan, I can enable one-time free support for you to work on this.
I am looking forward to hearing from you.

Answer 2

Killerbe 50

i bumped into the same issue and resolved it by placing the command in a variable and running the variable:

                Write-Host "Assigning the role $($RoleId.Name) to $($GroupName)" -ForegroundColor Green
                $AzRoleassignmant = New-AZRoleAssignment -ObjectID $($CreatedGroup.id) -RoleDefinitionid $($RoleID.id) -Scope $($ResGroup.ResourceID)
                $AzRoleassignmant

Share via

Role Assignment "New-AzRoleAssignment" for Azure Blob Storage is failing using powershell script

2 answers

Your answer