Microsoft.Authorization roleAssignments 2020-04-01-preview
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Bicep resource definition
The roleAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/roleAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
canDelegate: bool
condition: 'string'
conditionVersion: 'string'
delegatedManagedIdentityResourceId: 'string'
description: 'string'
principalId: 'string'
principalType: 'string'
roleDefinitionId: 'string'
}
}
Property values
Microsoft.Authorization/roleAssignments
Name | Description | Value |
---|---|---|
name | The resource name | string (required) |
properties | Role assignment properties. | RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope (required) |
scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope
Name | Description | Value |
---|---|---|
canDelegate | The delegation flag used for creating a role assignment | bool |
condition | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
conditionVersion | Version of the condition. Currently accepted value is '2.0' | string |
delegatedManagedIdentityResourceId | Id of the delegated managed identity resource | string |
description | Description of role assignment | string |
principalId | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. | string (required) |
principalType | The principal type of the assigned principal ID. | 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
roleDefinitionId | The role definition ID used in the role assignment. | string (required) |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Configure Deployment Environments service | This template provides a way to configure Deployment Environments. |
AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Assign a role at subscription scope | This template is a subscription level template that will assign a role at subscription scope. |
Assign a role at tenant scope | This template is a tenant level template that will assign a role to the provided principal at the tenant scope. The user deploying the template must already have the Owner role assigned at the tenant scope. |
Assign an RBAC role to a Resource Group | This template assigns Owner, Reader or Contributor access to an existing resource group. |
Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication | This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Azure Cloud Shell - VNet | This template deploys Azure Cloud Shell resources into an Azure virtual network. |
Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm |
Azure Digital Twins with Function and Private Link service | This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'. |
Azure Digital Twins with Time Data History Connection | This template creates an Azure Digital Twins instance configured with a time series data history connection. In order to create a connection, other resources must be created such as an Event Hubs namespace, an event hub, Azure Data Explorer cluster, and a database. Data is sent to an event hub which eventually forwards the data to the Azure Data Explorer cluster. Data is stored in a database table in the cluster |
Azure Function App with Event Hub and Managed Identity | his template provisions an Azure Function app on a Linux Consumption plan, along with an Event Hub, Azure Storage, and Application Insights. The function app is able to use managed identity to connect to the Event Hub and Storage account |
Azure Game Developer Virtual Machine | Azure Game Developer Virtual Machine includes Licencsed Engines like Unreal. |
Azure Image Builder with Azure Windows Baseline | Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
Build container images with ACR Tasks | This template uses DeploymentScript to orchestrate ACR to build your container image from code repo. |
Configure Dev Box service | This template would create all Dev Box admin resources as per Dev Box quick start guide (/azure/dev-box/quickstart-create-dev-box). You can view all resources created, or directly go to DevPortal.microsoft.com to create your first Dev Box. |
Create a Azure Native New Relic Resource | This template sets up an 'Azure Native New Relic Service' to monitor resources in your Azure subscription. |
Create a data share from a storage account | This template creates a data share from a storage account |
Create a new Datadog Organization | This template creates a new Datadog - An Azure Native ISV Service resource and a Datadog organization to monitor resources in your subscription. |
Create a resourceGroup, apply a lock and RBAC | This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal. |
Create a user-assigned managed identity and role assignment | This module allows you to create a user-assigned managed identity and a role assignment scoped to the resource group. |
Create a WordPress site | This template creates a WordPress site on Container Instance |
Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard |
Create an API Management service with SSL from KeyVault | This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Create an Azure Key Vault with RBAC and a secret | This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create an Azure Virtual Network Manager and sample VNETs | This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types. |
Create an on-demand SFTP Server with persistent storage | This template demonstrates an on-demand SFTP server using an Azure Container Instance (ACI). |
Create Application Gateway with Certificates | This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Create Disk & enable protection via Backup Vault | Template that creates a disk and enables protection via Backup Vault |
Create key vault, managed identity, and role assignment | This template creates a key vault, managed identity, and role assignment. |
Create MySqlFlex server & enable protection via Backup Vault | Template that creates a MySQL Flexible Server and enables protection via Backup Vault |
Create PgFlex server & enable protection via Backup Vault | Template that creates a PostgreSQL Flexible Server and enables protection via Backup Vault |
Create Storage Account & enable protection via Backup Vault | Template that creates storage account and enable operational and vaulted backup via Backup Vault |
Creates a Container App and Environment with Registry | Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs. |
Creates a Dapr microservices app using Container Apps | Create a Dapr microservices app using Container Apps. |
Creates a Dapr pub-sub servicebus app using Container Apps | Create a Dapr pub-sub servicebus app using Container Apps. |
Deploy a Linux or Windows VM with MSI | This template allows you to deploy a Linux or Windows VM with a Managed Service Identity. |
Deploy a simple Azure Spring Apps microservice application | This template deploys a simple Azure Spring Apps microservice application to run on Azure. |
Deploy Azure Data Explorer DB with Cosmos DB connection | Deploy Azure Data Explorer DB with Cosmos DB connection. |
Deploy Azure Data Explorer db with Event Grid connection | Deploy Azure Data Explorer db with Event Grid connection. |
Deploy Azure Data Explorer db with Event Hub connection | Deploy Azure Data Explorer db with Event Hub connection. |
Deploy Dev Box Service with built-in image | This template provides a way to deploy an Dev Box service with built-in image. |
Deploy Secure Azure AI Studio with a managed virtual network | This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Deploy the MedTech service | The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
Deploy the MedTech service including an Azure IoT Hub | The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Deploys a static website | Deploys a static website with a backing storage account |
FinOps hub | This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
Front Door Standard/Premium with static website origin | This template creates a Front Door Standard/Premium and an Azure Storage static website, and configured Front Door to send traffic to the static website. |
Hazelcast Cluster | Hazelcast is an in-memory data platform that can be used for a variety of data applications. This template will deploy any number of Hazelcast nodes and they will automatically discover each other. |
Import Container Images into ACR | This template leverages the Import ACR module from the bicep registry to import public container images into an Azure Container Registry. |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Web App with Managed Identity, SQL Server and ΑΙ | Simple example to deploy Azure infrastructure for app + data + managed identity + monitoring |
ARM template resource definition
The roleAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/roleAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "string",
"properties": {
"canDelegate": "bool",
"condition": "string",
"conditionVersion": "string",
"delegatedManagedIdentityResourceId": "string",
"description": "string",
"principalId": "string",
"principalType": "string",
"roleDefinitionId": "string"
}
}
Property values
Microsoft.Authorization/roleAssignments
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2020-04-01-preview' |
name | The resource name | string (required) |
properties | Role assignment properties. | RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope (required) |
type | The resource type | 'Microsoft.Authorization/roleAssignments' |
RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope
Name | Description | Value |
---|---|---|
canDelegate | The delegation flag used for creating a role assignment | bool |
condition | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
conditionVersion | Version of the condition. Currently accepted value is '2.0' | string |
delegatedManagedIdentityResourceId | Id of the delegated managed identity resource | string |
description | Description of role assignment | string |
principalId | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. | string (required) |
principalType | The principal type of the assigned principal ID. | 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
roleDefinitionId | The role definition ID used in the role assignment. | string (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Configure Deployment Environments service |
This template provides a way to configure Deployment Environments. |
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Assign a role at subscription scope |
This template is a subscription level template that will assign a role at subscription scope. |
Assign a role at tenant scope |
This template is a tenant level template that will assign a role to the provided principal at the tenant scope. The user deploying the template must already have the Owner role assigned at the tenant scope. |
Assign an RBAC role to a Resource Group |
This template assigns Owner, Reader or Contributor access to an existing resource group. |
Azure AI Studio Network Restricted |
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication |
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Azure Cloud Shell - VNet |
This template deploys Azure Cloud Shell resources into an Azure virtual network. |
Azure Container Service (AKS) with Helm |
Deploy a managed cluster with Azure Container Service (AKS) with Helm |
Azure Digital Twins with Function and Private Link service |
This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'. |
Azure Digital Twins with Time Data History Connection |
This template creates an Azure Digital Twins instance configured with a time series data history connection. In order to create a connection, other resources must be created such as an Event Hubs namespace, an event hub, Azure Data Explorer cluster, and a database. Data is sent to an event hub which eventually forwards the data to the Azure Data Explorer cluster. Data is stored in a database table in the cluster |
Azure Function App with Event Hub and Managed Identity |
his template provisions an Azure Function app on a Linux Consumption plan, along with an Event Hub, Azure Storage, and Application Insights. The function app is able to use managed identity to connect to the Event Hub and Storage account |
Azure Game Developer Virtual Machine |
Azure Game Developer Virtual Machine includes Licencsed Engines like Unreal. |
Azure Image Builder with Azure Windows Baseline |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
Azure Synapse Proof-of-Concept |
This template creates a proof of concept environment for Azure Synapse, including SQL Pools and optional Apache Spark Pools |
BrowserBox Azure Edition |
This template deploys BrowserBox on an Azure Ubuntu Server 22.04 LTS, Debian 11, or RHEL 8.7 LVM VM. |
Build container images with ACR Tasks |
This template uses DeploymentScript to orchestrate ACR to build your container image from code repo. |
Configure Dev Box service |
This template would create all Dev Box admin resources as per Dev Box quick start guide (/azure/dev-box/quickstart-create-dev-box). You can view all resources created, or directly go to DevPortal.microsoft.com to create your first Dev Box. |
Create a Azure Native New Relic Resource |
This template sets up an 'Azure Native New Relic Service' to monitor resources in your Azure subscription. |
Create a data share from a storage account |
This template creates a data share from a storage account |
Create a new Datadog Organization |
This template creates a new Datadog - An Azure Native ISV Service resource and a Datadog organization to monitor resources in your subscription. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Create a resourceGroup, apply a lock and RBAC |
This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal. |
Create a user-assigned managed identity and role assignment |
This module allows you to create a user-assigned managed identity and a role assignment scoped to the resource group. |
Create a WordPress site |
This template creates a WordPress site on Container Instance |
Create AKS with Prometheus and Grafana with privae link |
This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard |
Create alert rule for azure business continuity items |
This templates creates an alert rule and user assigned MSI. It also assigns the MSI reader access to the subscription so that the alert rule has access to query the required protected items and latest recovery point details. |
Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create an Azure Virtual Network Manager and sample VNETs |
This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types. |
Create an on-demand SFTP Server with persistent storage |
This template demonstrates an on-demand SFTP server using an Azure Container Instance (ACI). |
Create Application Gateway with Certificates |
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Create Disk & enable protection via Backup Vault |
Template that creates a disk and enables protection via Backup Vault |
Create key vault, managed identity, and role assignment |
This template creates a key vault, managed identity, and role assignment. |
Create MySqlFlex server & enable protection via Backup Vault |
Template that creates a MySQL Flexible Server and enables protection via Backup Vault |
Create PgFlex server & enable protection via Backup Vault |
Template that creates a PostgreSQL Flexible Server and enables protection via Backup Vault |
Create ssh-keys and store in KeyVault |
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault. |
Create Storage Account & enable protection via Backup Vault |
Template that creates storage account and enable operational and vaulted backup via Backup Vault |
Creates a Container App and Environment with Registry |
Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs. |
Creates a Dapr microservices app using Container Apps |
Create a Dapr microservices app using Container Apps. |
Creates a Dapr pub-sub servicebus app using Container Apps |
Create a Dapr pub-sub servicebus app using Container Apps. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
Deploy a Linux or Windows VM with MSI |
This template allows you to deploy a Linux or Windows VM with a Managed Service Identity. |
Deploy a simple Azure Spring Apps microservice application |
This template deploys a simple Azure Spring Apps microservice application to run on Azure. |
Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the <a href='https://www.sap.com'> SAP Help Portal </a>. |
Deploy Azure Data Explorer DB with Cosmos DB connection |
Deploy Azure Data Explorer DB with Cosmos DB connection. |
Deploy Azure Data Explorer db with Event Grid connection |
Deploy Azure Data Explorer db with Event Grid connection. |
Deploy Azure Data Explorer db with Event Hub connection |
Deploy Azure Data Explorer db with Event Hub connection. |
Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
Deploy Dev Box Service with built-in image |
This template provides a way to deploy an Dev Box service with built-in image. |
Deploy Secure Azure AI Studio with a managed virtual network |
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Deploy the MedTech service |
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
Deploy the MedTech service including an Azure IoT Hub |
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Deploys a static website |
Deploys a static website with a backing storage account |
FinOps hub |
This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
Front Door Standard/Premium with static website origin |
This template creates a Front Door Standard/Premium and an Azure Storage static website, and configured Front Door to send traffic to the static website. |
Hazelcast Cluster |
Hazelcast is an in-memory data platform that can be used for a variety of data applications. This template will deploy any number of Hazelcast nodes and they will automatically discover each other. |
Import Container Images into ACR |
This template leverages the Import ACR module from the bicep registry to import public container images into an Azure Container Registry. |
Import VHD Blobs from a ZIP Archive URL |
Deploying Virtual Machines based on specialized disk images requires to import VHD files into a Storage Account. In the case there are multiple VHD files compressed in a single ZIP and you got the URL to fetch the ZIP archive, this ARM template will ease the job: Download, Extract and Import into an existing Storage Account Blob Container. |
min.io Azure Gateway |
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage |
RBAC - Existing VM |
This template grants applicable role based access to an existing VM in a Resource Group |
RBAC - Grant Built In Role Access for multiple existing VMs in a Resource Group |
This template grants applicable role based access to multiple existing VMs in a Resource Group |
Terraform on Azure |
This template allows you to deploy a Terraform workstation as a Linux VM with MSI. |
upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster |
This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template. |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
Web App with Managed Identity, SQL Server and ΑΙ |
Simple example to deploy Azure infrastructure for app + data + managed identity + monitoring |
Terraform (AzAPI provider) resource definition
The roleAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/roleAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/roleAssignments@2020-04-01-preview"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
canDelegate = bool
condition = "string"
conditionVersion = "string"
delegatedManagedIdentityResourceId = "string"
description = "string"
principalId = "string"
principalType = "string"
roleDefinitionId = "string"
}
})
}
Property values
Microsoft.Authorization/roleAssignments
Name | Description | Value |
---|---|---|
name | The resource name | string (required) |
parent_id | The ID of the resource to apply this extension resource to. | string (required) |
properties | Role assignment properties. | RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope (required) |
type | The resource type | "Microsoft.Authorization/roleAssignments@2020-04-01-preview" |
RoleAssignmentPropertiesOrRoleAssignmentPropertiesWithScope
Name | Description | Value |
---|---|---|
canDelegate | The delegation flag used for creating a role assignment | bool |
condition | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
conditionVersion | Version of the condition. Currently accepted value is '2.0' | string |
delegatedManagedIdentityResourceId | Id of the delegated managed identity resource | string |
description | Description of role assignment | string |
principalId | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. | string (required) |
principalType | The principal type of the assigned principal ID. | 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
roleDefinitionId | The role definition ID used in the role assignment. | string (required) |