APIM RBAC role assigment not working

Vikas Tiwari 766 Reputation points
2022-04-06T04:42:11.393+00:00

I wanted to assign "event hub send role" to APIM instance through bicep (similar to how we assign roles using AIM blade from portal). I have following role assignment in my bicep file:

resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
  name: eventHubNamespaceName
}

resource apimInstance 'Microsoft.Web/sites@2020-06-01' existing = {
  name: apimInstanceName
}

var roleDefinitionDataSenderId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')

resource apimPermissions 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(apimInstance.id, apimInstance.name, roleDefinitionDataSenderId)
  scope: eventHubNamespaceName
  properties: {
    principalId: apimInstance.identity.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: roleDefinitionDataSenderId
  }
}

Its not showing any error and deployed successfully from pipeline, however when I go to portal-> eventhub namespace -> IAM -> Role Assignment, I am unable to see any role assign to my APIM instance or Managed identity. When I tried to test from APIM proxy I am getting error "Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb:...."

Also, I verified SAS signature has Send property checked at event hub level and, all 3 (Manage, Send, Listen) checked at namespace level.

Am I missing anything here?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,870 questions
Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
581 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
702 questions
{count} votes

Accepted answer
  1. VenkateshDodda-MSFT 19,631 Reputation points Microsoft Employee
    2022-04-07T07:11:27.957+00:00

    @Vikas Tiwari , Thanks for reaching out.

    In the above shared Bicep template you are using 'Microsoft.Web/sites@2020-06-01' instead of 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' and that is the reason you are not able to see the role assignment. I have tested the same in my environment and it is working without any issues.
    Please Modify the Bicep Template line 11 with Microsoft.Authorization/roleAssignments@2020-04-01-preview and let me know if you are facing any issues.


0 additional answers

Sort by: Most helpful