I wanted to assign "event hub send role" to APIM instance through bicep (similar to how we assign roles using AIM blade from portal). I have following role assignment in my bicep file:
resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
name: eventHubNamespaceName
}
resource apimInstance 'Microsoft.Web/sites@2020-06-01' existing = {
name: apimInstanceName
}
var roleDefinitionDataSenderId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975')
resource apimPermissions 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(apimInstance.id, apimInstance.name, roleDefinitionDataSenderId)
scope: eventHubNamespaceName
properties: {
principalId: apimInstance.identity.principalId
principalType: 'ServicePrincipal'
roleDefinitionId: roleDefinitionDataSenderId
}
}
Its not showing any error and deployed successfully from pipeline, however when I go to portal-> eventhub namespace -> IAM -> Role Assignment, I am unable to see any role assign to my APIM instance or Managed identity. When I tried to test from APIM proxy I am getting error "Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb:...."
Also, I verified SAS signature has Send property checked at event hub level and, all 3 (Manage, Send, Listen) checked at namespace level.
Am I missing anything here?