What’s the difference when specifying `roleDefinitionId` with role IDs on different levels (management group, subscription, and resource group)?

  Kiến thức lập trình

Consider the following Azure RBAC role assignment in Bicep:

// https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?pivots=deployment-language-bicep
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(
    resourceGroup().id,
    resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
  )
  scope: keyVault
  properties: {
    principalId: appServiceApp.identity.principalId
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
  }
}

Here I’m assigning the Azure App Service’s system-assigned managed identity the Key Vault Secrets User on the key vault.

For the roleDefinitionId, I have seen it specified either on the subscription- (subscriptionResourceId(...)) or resource group level.

What’s the difference when specifying roleDefinitionId with role IDs on different levels (management group, subscription, and resource group)?

  • azure
  • azure-web-app-service
  • bicep

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT