Powershell Script New-AzRoleAssignment with Azure Devops: Operation returned an invalid status code ‘Forbidden’

  Kiến thức lập trình

I am trying to assign "Storage Blob Data Contributor" permissions to the storage account with Azure Devops Pipeline.

I have the following configuration:

  • Service Connection : TestSubscription
  • The service connection is member of a group which has contributor RBAC from the subscription level
  • The service connection is created with workloadIdentity.

I am using the following Azure Devops task

- task: AzurePowerShell@5
  displayName: "Set Permissions Storage Account for Service Principal"
  inputs:
    azureSubscription: 'TestSubscription'
    ScriptType: 'FilePath'
    ScriptPath: '$(Pipeline.Workspace)/drop/Scripts/SetStoragePermission.ps1'
    ScriptArguments: '-ResourceGroup $(ResourceGroup) -StorageAccountNameStaticWebApp $(StorageAccountNameStaticWebApp) -ClientIDAppRegistration $(ClientIDAppRegistration) -IDTestSubscription $(IDTestSubscription)'
    azurePowerShellVersion: 'LatestVersion'

The script is:

param(

    [string]$ClientIDAppRegistration,
    [string]$IDTestSubscription,
    [string]$StorageAccountNameStaticWebApp,
    [string]$ResourceGroup

)


New-AzRoleAssignment -ApplicationId $ClientIDAppRegistration -RoleDefinitionName "Contributor" -Scope "/subscriptions/$($IDTestSubscription)/resourceGroups/$($ResourceGroup)/providers/Microsoft.Storage/storageAccounts/$($StorageAccountNameStaticWebApp)/"

I have another repository where this is working. With the same configuration. But in a different repository with the same service connection and same task it is giving me the error.

  • powershell
  • azure-devops
  • azure-powershell
  • azure-pipelines-yaml

LEAVE A COMMENT