I am trying to assign "Storage Blob Data Contributor"
permissions to the storage account with Azure Devops Pipeline.
I have the following configuration:
- Service Connection : TestSubscription
- The service connection is member of a group which has contributor RBAC from the subscription level
- The service connection is created with workloadIdentity.
I am using the following Azure Devops task
- task: AzurePowerShell@5
displayName: "Set Permissions Storage Account for Service Principal"
inputs:
azureSubscription: 'TestSubscription'
ScriptType: 'FilePath'
ScriptPath: '$(Pipeline.Workspace)/drop/Scripts/SetStoragePermission.ps1'
ScriptArguments: '-ResourceGroup $(ResourceGroup) -StorageAccountNameStaticWebApp $(StorageAccountNameStaticWebApp) -ClientIDAppRegistration $(ClientIDAppRegistration) -IDTestSubscription $(IDTestSubscription)'
azurePowerShellVersion: 'LatestVersion'
The script is:
param(
[string]$ClientIDAppRegistration,
[string]$IDTestSubscription,
[string]$StorageAccountNameStaticWebApp,
[string]$ResourceGroup
)
New-AzRoleAssignment -ApplicationId $ClientIDAppRegistration -RoleDefinitionName "Contributor" -Scope "/subscriptions/$($IDTestSubscription)/resourceGroups/$($ResourceGroup)/providers/Microsoft.Storage/storageAccounts/$($StorageAccountNameStaticWebApp)/"
I have another repository where this is working. With the same configuration. But in a different repository with the same service connection and same task it is giving me the error.