How to create second role assignment for an existing role

Konstantin Kulikov 5 Reputation points
2024-03-21T18:54:43.2733333+00:00

I receive an error Updating SQL Role Assignment Principal ID is not permitted. You may only update the associated Role Definition. when I'm trying to create new role assignment with existing role.

But I'm not updating role assignment, I'm creating a new one.

How to make it work?

First, already existing and deployed role assignment:

resource webAppContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {
  parent: cosmosAccount
  name: guid('webAppContributorRole')
  properties: {
    roleDefinitionId: cosmosContributorRole.Id
    principalId: app.identity.principalId
    scope: cosmosAccount.id
  }
}

Second role assignment I'm trying to create:

resource functionAppContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {
  parent: cosmosAccount
  name: guid('functionAppContributorRole')
  properties: {
    roleDefinitionId: cosmosContributorRole.Id
    principalId: functionApp.identity.principalId
    scope: cosmosAccount.id
  }
}

Role definition:

resource cosmosContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-11-15' = {
  parent: cosmosAccount
  name: guid('cosmosContributorRole')
  properties: {
    roleName: 'Cosmos DB web app contributor custom role'
    type: 'CustomRole'
    assignableScopes: [
      cosmosAccount.id
    ]
    permissions: [
      {
        dataActions: [
          'Microsoft.DocumentDB/databaseAccounts/readMetadata'
          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery'
          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed'
          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
        ]
        notDataActions: []
      }
    ]
  }
}
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,433 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GeethaThatipatri-MSFT 27,002 Reputation points Microsoft Employee
    2024-03-21T20:58:15.2666667+00:00

    Hi, @Konstantin Kulikov Welcome to Microsoft Q&A thanks for posting your question.

    I understand that you are trying to create a new role assignment with an existing role in Microsoft Azure Cloud, but you have received an error message that says "Updating SQL Role Assignment Principal ID is not permitted.

    Looking into the bicep you have share the principalid is different.If you are adding additional role assignments, you need to change only the role definitionid and leave the principal id the same,

    Let me know if this fixes your issue.
    Regards

    Geetha