azurerm_user_assigned_identity role assignment

Member-only story

Managing Azure RBAC Roles and Assignments with Terraform

Jack Morris

This a quick guide I couldn’t wait to share. Here is a way of managing a custom roles and role assignments in Azure using Terraform. The versions of Terraform, AzureRM, and the AzureAD provider I’m using are as follows:

In this example, I’m creating a custom role that allows some users to view a shared dashboard in our Azure subscription. The users should be able to view the dashboard that Terraform is already creating, which is referred to by the terraform resource azurerm_dashboard.insights-dashboard :

This role grants read access to:

• The specific Shared Dashboard that is created elsewhere in Terraform by scoping this role just to the dashboard
• The same read permissions as the built-in Monitoring Reader role, minus the ability to raise support tickets. Since Insights queries a ton of data — each of which is exposed in a different permissions entry, e.g. Microsoft.Insights/metricAlerts/read , Microsoft.Insights/alertRules/read , Microsoft.Insights/components/*/read — I found it easier to make the read permissions more permissive and mimic one of the built-in roles here. The scope for this role is still only assignable to the dashboard, so effectively we grant read access to whatever Insights data the dashboard surfaces.

When assigning users to a role, you need their principal ID (also called an object ID) within Azure AD to perform the assignment. Personally, I wouldn’t want to have to find out each user’s object ID through some manual process or by using the CLI before I run terraform. What we can do instead is create a variable that stores all of the email addresses (which is also their UPN, or user princiupal name) associated with the users in Azure:

Then, we pass that variable to the AzureAD provider and use the for_each argument to loop through the users:

And finally, when we want to assign all of those users to the custom role we created above, we do this using for_each again, this time providing the data resource ( azuread_user ) we created above:

And that’s it! You can now assign a batch of users to an RBAC role in Azure using Terraform.

Written by Jack Morris

Solution Architect at Kainos

More from Jack Morris and ITNEXT

Infrastructure as Code (IaC) with Terraform & Azure DevOps

Walking through the basics of managing infrastructure with terraform and azure devops.

Alexis Ducastel

Benchmark results of Kubernetes network plugins (CNI) over 40Gbit/s network [2024]

This article is a new run of my previous benchmark (2020, 2019 and 2018), now running kubernetes 1.26 and ubuntu 22.04 with cni version….

Héla Ben Khalfallah

Frontend Development Beyond React: Svelte (1/3)

Delving into svelte, solid, and qwik.

Migrating Data From CosmosDB to Azure Storage using Azure Data Factory

A short guide for migrating between azure cosmosdb and storage accounts using data factory., recommended from medium.

Always learning

Azure Terraform Pipeline — DevOps

Terraform is an open-source infrastructure as code (iac) tool that allows users to define and deploy infrastructure resources, such as….

Venkat Sunil Minchala

Terraform for Azure Beginners: Ultimate guide

Simplify infrastructure provisioning, automate changes, and optimize your azure workflows.

Coding & Development

Icon Design

The New Chatbots: ChatGPT, Bard, and Beyond

Tech & Tools

Warley's CatOps

Azure Governance and Security Policies: A Comprehensive Guide

Azure governance and security policies are crucial for maintaining order, security, and compliance in your azure environment. think of it….

Abhimanyubajaj

Securing application secrets with Azure Key Vault deployed using Terraform

Azure key vault is a cloud service for securely storing and accessing secrets. vaults support storing software and hsm-backed keys….

Rory Braybrook

The new control plane

Running the Entra External ID for Customers (CIAM) user flows inside the portal itself

In azure ad b2c, with the built-in user flows, there was a “run user flow” button inside the portal so you could test the user flow without….

Terraform to Azure: Creating a dev environment

Using terraform to create an on-demand dev environment on azure..

Text to speech

Azure Authorization Assignment

This page shows how to write Terraform and Azure Resource Manager for Authorization Assignment and write them securely.

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_role_assignment (Terraform)

The Assignment in Authorization can be configured in Terraform with the resource name azurerm_role_assignment . The following sections describe 10 examples of how to use the resource and its parameters.

• Example Usage from GitHub

Review your Terraform file for Azure best practices

• condition optional - string
• condition_version optional - string
• description optional - string
• id optional computed - string
• name optional computed - string
• principal_id required - string
• principal_type optional computed - string
• role_definition_id optional computed - string
• role_definition_name optional computed - string
• scope required - string
• skip_service_principal_aad_check optional computed - bool
• create optional - string
• delete optional - string
• read optional - string
• update optional - string

>> from Terraform Registry

• Explanation in Terraform Registry

Assigns a given Principal (User or Group) to a given Role.

Tips: Best Practices for The Other Azure Authorization Resources

In addition to the azurerm_role_definition, Azure Authorization has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

azurerm_role_definition

Ensure to grant targeted permissions for roles

It is better to avoid giving too many permissions to a role. By following the principle of least privilege, you can reduce the risk of credential leakage.

Review your Azure Authorization settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Authorization/roleAssignments (Azure Resource Manager)

The roleAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/roleAssignments . The following sections describe how to use the resource and its parameters.

• name required - string
• type required - string
• apiVersion required - string

The role definition ID used in the role assignment.

The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.

>> from Azure Resource Manager Documentation

The Other Related Azure Authorization Resources

Azure Authorization Azure User Assigned Identity

Azure Authorization Definition

• Frequently asked questions

What is Azure Authorization Assignment?

Azure Authorization Assignment is a resource for Authorization of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Authorization Assignment?

For Terraform, the SamPoddar/caf-terraform-landingzones-starter , Elgeario/Starter and joshfranzen/caf-terraform-landingzones-starter source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the LRuttenCN/cloud-custodian , LRuttenCN/cloud-custodian and juggernauthk108/pastebin source code examples are useful. See the Azure Resource Manager Example section for further details.

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents

• Best Practces for The Other Resources

azurerm_role_assignment

Assigns a given Principal (User or Application) to a given Role.

Example Usage (using a built-in Role)

Example usage (custom role & service principal), example usage (custom role & user), argument reference.

The following arguments are supported:

name - (Optional) A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

scope - (Required) The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333 , /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM . Changing this forces a new resource to be created.

role_definition_id - (Optional) The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name .

role_definition_name - (Optional) The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id .

principal_id - (Required) The ID of the Principal (User or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

Attributes Reference

The following attributes are exported:

• id - The Role Assignment ID.

Role Assignments can be imported using the resource id , e.g.

© 2018 HashiCorpLicensed under the MPL 2.0 License. https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign Azure roles to a managed identity (Preview)

• 4 contributors

You can assign a role to a managed identity by using the Access control (IAM) page as described in Assign Azure roles using the Azure portal . When you use the Access control (IAM) page, you start with the scope and then select the managed identity and role. This article describes an alternate way to assign roles for a managed identity. Using these steps, you start with the managed identity and then select the scope and role.

Assign a role to a managed identity using these alternate steps is currently in preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews .

Prerequisites

To assign Azure roles, you must have:

• Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator

System-assigned managed identity

Follow these steps to assign a role to a system-assigned managed identity by starting with the managed identity.

In the Azure portal, open a system-assigned managed identity.

In the left menu, click Identity .

Under Permissions , click Azure role assignments .

If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. This list includes all role assignments you have permission to read.

To change the subscription, click the Subscription list.

Click Add role assignment (Preview) .

Use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription , Resource group , or resource.

If you don't have role assignment write permissions for the selected scope, an inline message will be displayed.

In the Role drop-down list, select a role such as Virtual Machine Contributor .

Click Save to assign the role.

After a few moments, the managed identity is assigned the role at the selected scope.

User-assigned managed identity

Follow these steps to assign a role to a user-assigned managed identity by starting with the managed identity.

In the Azure portal, open a user-assigned managed identity.

In the left menu, click Azure role assignments .

If roles are already assigned to the selected user-assigned managed identity, you see the list of role assignments. This list includes all role assignments you have permission to read.

Related content

• What are managed identities for Azure resources?
• Assign Azure roles using the Azure portal
• List Azure role assignments using the Azure portal

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

» azurerm_role_assignment

Assigns a given Principal (User or Application) to a given Role.

» Example Usage (using a built-in Role)

» example usage (custom role & service principal), » example usage (custom role & user), » argument reference.

The following arguments are supported:

name - (Optional) A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

scope - (Required) The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333 , /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM . Changing this forces a new resource to be created.

role_definition_id - (Optional) The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name .

role_definition_name - (Optional) The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id .

principal_id - (Required) The ID of the Principal (User or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

» Attributes Reference

The following attributes are exported:

• id - The Role Assignment ID.

Role Assignments can be imported using the resource id , e.g.

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_role_assignment "The role assignment already exists." #17421

justin-chizer commented Jun 28, 2022 • edited

• 👍 28 reactions

sinbai commented Jun 29, 2022

Sorry, something went wrong.

pmav99 commented Jul 2, 2022 • edited

• ❤️ 2 reactions

adansmashni commented Jul 29, 2022 • edited

haleemason commented Aug 18, 2022 • edited

benc-uk commented Sep 29, 2022

Azkel commented Oct 17, 2022

• 👍 6 reactions

Azkel commented Oct 29, 2022 • edited

• 👍 1 reaction
• 👎 2 reactions

SSanjeevi commented Jul 6, 2023 • edited

ramvem commented Nov 14, 2023 • edited

No branches or pull requests