Azure DevOps - Managed Identity Linked Subscription not able to do role assignments
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 54%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sumit Gaur
455
Reputation points
Hi.
We have created a User Assigned Managed Identity (UAMI) in our Azure subscription and assigned it the following roles at the subscription scope:
- Contributor
- Role Based Access Control Administrator
The Role Based Access Control Administrator assignment has a condition configured to restrict which roles can be assigned and to which principal types. The UAMI is linked to an Azure DevOps service connection and is used by our Terraform deployment pipeline.
During deployment, Terraform attempts to create Azure RBAC role assignments. However, the pipeline fails with the following error:
Error: unexpected status 403 (403 Forbidden) with error: AuthorizationFailed:
The client '<redacted>' with object id '<redacted>' does not have authorization
to perform action 'Microsoft.Authorization/roleAssignments/write' over scope
'/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>/providers/Microsoft.Authorization/roleAssignments/<role-assignment-id>'
or the scope is invalid.
If access was recently granted, please refresh your credentials.
Terraform resource:
resource "azurerm_role_assignment" "role_assignment_integration_account_key_vault" {
for_each = toset(local.integration_account_key_vault_roles)
scope = data.azurerm_key_vault.key_vault_corp.id
role_definition_name = each.value
principal_id = var.azure_logic_apps_service_principal_id
}
Additional details:
The Azure DevOps service connection authenticates using the User Assigned Managed Identity.
The UAMI has both Contributor and Role Based Access Control Administrator roles assigned at the subscription scope.
- The target principal is a Integration Account SPN -
Azure Logic Apps
The roles being assigned include:
Key Vault Secrets User
Key Vault Certificate User
Key Vault Crypto User
The role assignment operation fails with `Microsoft.Authorization/roleAssignments/write`.
```We would like to understand whether the conditional Role Based Access Control Administrator assignment could be preventing the role assignment operation, despite the required roles appearing to be included in the allowed role list, or whether there are additional requirements for creating role assignments through a federated Azure DevOps service connection using a User Assigned Managed Identity.
The same would work if i tried run from a user which has owner access.
Azure DevOps
Sign in to answer