'Subscription-scope authorization for Azure Resource Manager API user

Trying to put together an Azure ARM integration, where my code uses the Azure API to retrieve the full list of VMs in the entire subscription.

Went successfully through all the (many!) steps here to get an API user ready with all relevant IDs needed for authentication.

Using the same set of instructions, we were also able to grant this user the Reader role, for listing VMs in specific groups (we did this through the Azure UI). However, we have been unsuccessful in implementing the instructions here for setting up Reader role for this user to the entire subscription (through the CLI).

Running this:

azure role assignment create --objectId app-oid --roleName Reader --scope /subscriptions/subscription-id

Or this:

azure role assignment create --objectId app-oid --roleName Reader --subscription subscription-id --scope /subscriptions/subscription-id

Yields this:

Principals of type Application cannot validly be used in role assignments.

So currently we have no way of programmatically browsing the full set of VMs without adding a specific authorization for each Resource Group. Does anybody know of a way that actually works to assign this permission at the subscription level?

apiazureauthorizationrolesazure-resource-manager


Solution 1:[1]

Found the answer in the comment area of the link in the question body: In the new portal, edit the subscription and add the role, just like you would do with a resource group. Still curious as to why the CLI doesn't support this.

Solution 2:[2]

The steps to use the Azure CLI to create and authorize a service principal are documents here: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal-cli/

Solution 3:[3]

Instead of using --objectId app-oid try using -ServicePrincipalName <appId> https://github.com/Azure/azure-powershell/issues/4776

Solution 4:[4]

Had the same error for role assignment with terraform

Principals of type Application cannot validly be used in role assignments.

But as described here, using the Object Id that is displayed on the overview page of the app registration in the Azure portal resulting the above error.

The solution is to get the Object Id from azure cli:

az ad sp show --id [Application (client) Id] -o json | grep objectId

# and then using this objectId assign your role

az role assignment create --role contributor —-assignee-object-id [object id] —-resource-group [MyResourceGroup]

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 orange77
Solution 2 Neil Mackenzie
Solution 3 Kevin Cohen
Solution 4 scarface_90

Related Questions