'Cannot add KeyVault Secret-scoped role assignment with Azure Bicep

I am deploying something in the dev ressource group. Something in it has a dependency on a key-vault secret which is stored in a different ressource group main. From the main.bicep I am calling a role-assignment-secret.bicep module to deploy the role assignment:

param role string
param assignee string
param vaultName string
param secretName string

resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
  name: '${vaultName}/${secretName}'
  scope: resourceGroup('main')
}

resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(vaultName, secretName, assignee, role)
  properties: {
    principalId: assignee
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
  }
  scope: secret
}

Now secret yields an error, stating that:

A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)

Than I re-factored the module to include another module

ADD role-assignment.bicep

param role string
param assignee string

resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(deployment().name, assignee, role)
  properties: {
    principalId: assignee
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
  }
}

Which is then called by role-assignment-secret.bicep

param role string
param assignee string
param vaultName string
param secretName string

resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
  name: '${vaultName}/${secretName}'
  scope: resourceGroup('main')
}

module perm 'role-assignment.bicep' = {
  name: guid(vaultName, secretName, assignee, role)
  scope: secret
  params: {
    assignee: assignee
    role: role
  }
}

This then yields the follwing error

Scope "resource" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)

So basically Bicep is telling me that I cannot assign the role jsut for that specific secret, right? But I need to do this, I can easily do so via the portal GUI. Using a resource group as scope for the role assignment is to broad and results in excessive permissions being granted.

azure-resource-managerazure-bicep


Solution 1:[1]

Oh well, there was an obvious oversight on my part. Instead of explicitly providing the scope property WITHIN the role-assignment-secret.bicep template, I should have injected it from outside when calling the module from the main.bicep. Working now. Apologies.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 baouss

Related Questions

Redirect HTTP to HTTPS in Azure Application Gateway

Start generalized azure VM

Subscription-scope authorization for Azure Resource Manager API user

ARM - Create Key Vault via private endpoint using existing VNet / Subnet

How to enable Update Management for an Azure Automation Account programmatically?

The client with object id does not have authorization to perform action taggedTrafficConsumers/validate

How to convert an array into properties of one object in an ARM template?

Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group

How to tag Current time as a Tag for an ARM Deployment

KeyVault ARM template overrides secrets when re-deploying

How do I create multiple topics/queues in multiple servicebuses with bicep?

Azure DevOps Pipeline Azure SQL Deploy won't work with SQL script (Failed to login)

privacySetting parameter value is not part of the allowed values - SQL Connection for Azure LogicApps

Azure ARM template give scoping access to different subscription

Azure ARM template creating duplicate resources