Consider the following Azure RBAC role assignment in Bicep:
// https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?pivots=deployment-language-bicep
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(
resourceGroup().id,
resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
)
scope: keyVault
properties: {
principalId: appServiceApp.identity.principalId
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
}
}
Here I’m assigning the Azure App Service’s system-assigned managed identity the Key Vault Secrets User
on the key vault.
For the roleDefinitionId
, I have seen it specified either on the subscription- (subscriptionResourceId(...)
) or resource group level.
What’s the difference when specifying roleDefinitionId
with role IDs on different levels (management group, subscription, and resource group)?