Hello,
I created a storage account, but there is no option to provide an access to it for my service principals:
Error: checking for presence of existing Scoped Role Assignment (Scoped Role Assignment (Scope: “/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/resourceGroups/kml_rg_main-ab877a4c73e04ece/providers/Microsoft.Storage/storageAccounts/saappsoutput/blobServices/default/containers/items”
│ Role Assignment Name: “9e931abf-4251-1036-cdec-e682cdf42af7”)): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client ‘kk_lab_user_main-ab877a4c73e04ece@azurekmlprodkodekloud.onmicrosoft.com’ with object id ‘03dbf8cc-e25b-4fa5-94fa-b4d83d74f235’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/read’ over scope ‘/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/resourceGroups/kml_rg_main-ab877a4c73e04ece/providers/Microsoft.Storage/storageAccounts/saappsoutput/blobServices/default/containers/items/providers/Microsoft.Authorization/roleAssignments/9e931abf-4251-1036-cdec-e682cdf42af7’ or the scope is invalid. If access was recently granted, please refresh your credentials
Kindly ask you to check it as priority. I would like to check how workload identities work.
thanks in advance.
I’ll need you to be more specific as to what you’re doing in the console. Please include a step-by-step where you indicate what “service principles” you’re trying to assign the RBAC to, and how you created them in the playground. Then I can look at what you did and replicate your error.
it’s simple.
Just try to create:
- storage account+container
- some service principal through app registration
- come back to storage account’s “Access Control (IAM)”
- try to assign some RBAC to SP is created on step1. It’s disabled.
Actually RBAC is disabled for all newly created resources.
I did a little digging. Here’s a post from the Azure site; it’s a customer question similar to yours.
Q: Azure "Add role Assignment’ is disabled. I have tried with both Owner and User Admin Access role.
Hello,
I have both Owner and User Access Admin permission. But when I want to “add a role assignment for an Application” I noticed that my account for adding roles has been disable, see image
A: Confirm that your account indeed has both the Owner and User Access Administrator roles at the correct scope (e.g., subscription, resource group, or resource level).
Sometimes, conditional access policies can restrict certain actions. Check if there are any policies that might be affecting your ability to add role assignments.
I can pretty much guarantee you that the playground user for Azure does not have this kind of access. I’m not sure if there is something short of that which would allow it, but I sort of doubt that the folks setting up the playground would allow for that.
What’s your use case, if I wanted to take it up with our admin?
Hello,
It seems I described my case in previous post, let me repeat that:
it’s simple.
Just try to create:
- storage account+container
- some service principal through app registration
- come back to storage account’s “Access Control (IAM)”
- try to assign some RBAC to SP is created on step1. It’s disabled.
Actually RBAC is disabled for all newly created resources.
EntraID roles aren’t enough for access to particular resources.
Kindly ask you to check it as priority
Thanks in advance