M
Marcel
Guest
Marcel Asks: How do you assign "Reservations Reader" or "Reservations Administrator" in an ARM template?
I'm building a LogicApp that creates custom notifications for Azure Reservations, and I'm now tring to build an ARM template to automate the deployment.
One of the key steps of the deployment is to assign the Managed Identity assigned to the LogicApp the permission to read all reservations, which can be done with PowerShell like this.
I've included the following resource in my ARM template:
The GUID for the role (
When I deploy this template, I get:
Since the page above states it is done (through PowerShell) on the tenant-level, I've tried setting the
Trying
How do you add this role assignment?
I'm building a LogicApp that creates custom notifications for Azure Reservations, and I'm now tring to build an ARM template to automate the deployment.
One of the key steps of the deployment is to assign the Managed Identity assigned to the LogicApp the permission to read all reservations, which can be done with PowerShell like this.
I've included the following resource in my ARM template:
Code:
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-10-01-preview",
"name": "[guid('ReservationReaderAssignment', subscription().id, parameters('logicAppName'))]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '582fc458-8989-419f-a480-75249bc5db7e')]",
"principalId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('logicAppName')), '2019-05-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
},
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]"
]
}
The GUID for the role (
582fc458-8989-419f-a480-75249bc5db7e
) was found in the portal under Reservations Reader.When I deploy this template, I get:
... The role Reservations Reader is not available for assignment at the requested scope. ...
Since the page above states it is done (through PowerShell) on the tenant-level, I've tried setting the
scope
to /
, but got the same error.Trying
/providers/Microsoft.Compute
(another iteration I saw somewhere) I get a ... The resource namespace 'providers' is invalid ...
.How do you add this role assignment?