https://pulumi.com logo
#azure
Title
# azure
f

few-coat-22129

02/18/2021, 1:03 AM
Are there any examples of how to use c# to create
Azure Roles Assignments
for a resource? For Example: in the portal I can, from the Access Control blade for a database server, assigned the role of SQL DB Contributor to an App service) Thanks!
a

able-rose-67471

02/18/2021, 10:20 AM
To add a roll to an existing user/application/group you can use
Azure.Authorization.Assignment
like below, here I just grabbed the ObjectId from the directory. You can use the
Pulumi.AzureAD
Nuget package to programmatically manage the directory if required:
Copy code
using Pulumi;
using Azure = Pulumi.Azure;

class ExampleStack : Stack
{
    
    public ExampleStack()
    {
        Azure.Core.ResourceGroup resourceGroup = new Azure.Core.ResourceGroup("rg-example");

        Azure.Storage.Account storageAccount = new Azure.Storage.Account("examplesa", new Azure.Storage.AccountArgs
        {
            ResourceGroupName = resourceGroup.Name,
            AccountReplicationType = "LRS",
            AccountTier = "Standard"
        });

        Azure.Authorization.Assignment role = new Azure.Authorization.Assignment("owner", new Azure.Authorization.AssignmentArgs{
            PrincipalId = "88a0f5ab-bea2-421b-8fb9-c710ac6f8b10", 
            RoleDefinitionName = "owner",
            Scope = storageAccount.Id
        }); 
    }
}
To assign access to a resource, I typically use the
SystemAssigned
identify of the resource. If you're wanting to assign a roll to some newly created resource, there's a
SkipServicePrincipalAadCheck
as I believe sometimes it takes a while for the
PrincipalId
to exist after the resource has been created. See below:
Copy code
using Pulumi;
using Azure = Pulumi.Azure;

class AnotherExampleStack : Stack
{
    
    public AnotherExampleStack()
    {
        Azure.Core.ResourceGroup resourceGroup = new Azure.Core.ResourceGroup("rg-example");

        Azure.AppService.Plan appServicePlan = new Azure.AppService.Plan("plan-example", new Azure.AppService.PlanArgs
        {
            Location = resourceGroup.Location,
            ResourceGroupName = resourceGroup.Name,
            Sku = new Azure.AppService.Inputs.PlanSkuArgs
            {
                Tier = "Standard",
                Size = "S1",
            },
        });

        Azure.AppService.AppService appService = new Azure.AppService.AppService("exampleAppService", new Azure.AppService.AppServiceArgs
        {
            Location = resourceGroup.Location,
            ResourceGroupName = resourceGroup.Name,
            AppServicePlanId = appServicePlan.Id,
            Identity = new Azure.AppService.Inputs.AppServiceIdentityArgs
            {
                Type = "SystemAssigned"
            }
        });

        Azure.Storage.Account storageAccount = new Azure.Storage.Account("examplesa", new Azure.Storage.AccountArgs
        {
            ResourceGroupName = resourceGroup.Name,
            AccountReplicationType = "LRS",
            AccountTier = "Standard"
        });

        Azure.Authorization.Assignment role = new Azure.Authorization.Assignment("owner", new Azure.Authorization.AssignmentArgs{
            PrincipalId = appService.Identity.Apply(sp => sp.PrincipalId),
            RoleDefinitionName = "owner",
            Scope = storageAccount.Id,
            SkipServicePrincipalAadCheck = true,
        }); 
    }
}
f

few-coat-22129

02/19/2021, 1:29 AM
wow - thanks so much this is great! 😃
3 Views