Azure - add IAM Role Assignment with no AAD permissions with Azure CLI
Problem
You are a guest in AAD and have no permissions to use UI or search AAD and need to add a service principal to a role to a resource (in my case ADLS Gen2).
Solution
- Get object id of your service principal (Azure Portal shows a wrong one.)
az ad sp list --display-name <prefix or name>
Returns a json where you’ll find (autogenerated):
{
"objectId": "f1becf03-c150-49d5-8d5d-b84955bc56e6"
}
- Run assignment command
In this case I’m granting “Storage Blob Data Contributor” to entire ADLS resource. You can assign per container by changing --scope
to go deeper.
Storage Scope:
az role assignment create --role "Storage Blob Data Contributor" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/... --assignee-principal-type ServicePrincipal --assignee-object-id f1becf03-c150-49d5-8d5d-b84955bc56e6
Container Scope:
az role assignment create --role "Storage Blob Data Contributor" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/.../blobServices/default/containers/container_name --assignee-principal-type ServicePrincipal --assignee-object-id f1becf03-c150-49d5-8d5d-b84955bc56e6
P.S. Note the syntax for the container - blobServices/default/containers/container_name
!
To contact me, send an email anytime or leave a comment below.