Hi! I am trying to grant Directory Reader role to an Azure SQL Server instance, but I stuck.

var sqlServerManagedIdentity = sqlServer.Identity.Apply(x => x.PrincipalId);

new AppRoleAssignment("SqlServerDirectoryReader", new AppRoleAssignmentArgs
{
    AppRoleId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
    PrincipalObjectId = sqlServerManagedIdentity,
    ResourceObjectId = sqlServerManagedIdentity
});

I dont' know the difference between PrincipalObjectId and ResourceObjectId 😕 Does any one has an idea?

Is this what You're trying to achieve? https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role

yes, @adorable-soccer-30455

I think it might be DirectoryRoleMember You should use https://www.pulumi.com/registry/packages/azuread/api-docs/directoryrolemember/

Thanks that is working.

new DirectoryRoleMember("Sql Server Directory reader role", new DirectoryRoleMemberArgs()

{

RoleObjectId = new DirectoryRole("Directory Readers", new DirectoryRoleArgs

{

DisplayName = "Directory Readers"

}).ObjectId,

MemberObjectId = sqlServer.Identity.Apply(x => x.PrincipalId)

});