I receive an error Updating SQL Role Assignment Principal ID is not permitted. You may only update the associated Role Definition.
when I'm trying to create new role assignment with existing role.
But I'm not updating role assignment, I'm creating a new one.
How to make it work?
First, already existing and deployed role assignment:
resource webAppContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {
parent: cosmosAccount
name: guid('webAppContributorRole')
properties: {
roleDefinitionId: cosmosContributorRole.Id
principalId: app.identity.principalId
scope: cosmosAccount.id
}
}
Second role assignment I'm trying to create:
resource functionAppContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {
parent: cosmosAccount
name: guid('functionAppContributorRole')
properties: {
roleDefinitionId: cosmosContributorRole.Id
principalId: functionApp.identity.principalId
scope: cosmosAccount.id
}
}
Role definition:
resource cosmosContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-11-15' = {
parent: cosmosAccount
name: guid('cosmosContributorRole')
properties: {
roleName: 'Cosmos DB web app contributor custom role'
type: 'CustomRole'
assignableScopes: [
cosmosAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
notDataActions: []
}
]
}
}