Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

<title>Unable to assign container level permissions on Azure Data Lake Gen2 Account using terraform azure #299

Open
1 task done
rahulgulati89 opened this issue Nov 17, 2023 · 0 comments
Open
1 task done

<title>Unable to assign container level permissions on Azure Data Lake Gen2 Account using terraform azure #299

rahulgulati89 opened this issue Nov 17, 2023 · 0 comments
Labels
bug Something isn't working example

Comments

@rahulgulati89
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Example Name

Terraform Azure RM Role assignment

Terraform Version

1.3.1

Current Behavior

I am trying to add the azure Roles for a Principal Id on my azure storage account(Gen2 DataLake with hierarchical namespace) but getting the error in the pipeline.

Code ->

## Add conformed layer file system resource "azurerm_storage_data_lake_gen2_filesystem" "datahubdatalakesaxoconformed" { name = var.datalake_conformed_file_system storage_account_id = azurerm_storage_account.datahubdatalake.id }

# Assign Blob Data reader role 
resource "azurerm_role_assignment" "roleassignmentconformed" {
  principal_id         = var.unity_catalog_global_access
  role_definition_name = "Storage Blob Data Contributor"
  scope                = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id
}

Error ->

Error: expected scope to be one of [/providers/Microsoft.Subscription], got https://saxodatahubdatalakedev.dfs.core.windows.net/datahub-conformed │ │ with azurerm_role_assignment.roleassignmentconformed, │ on main.tf line 193, in resource "azurerm_role_assignment" "roleassignmentconformed": │ 193: scope = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id │ ╵

However if i change the above code like below, then it works but the issue is that the working one will assign the "Storage Account Contributor" role at the account level. I need to assign roles for an Azure Managed Identity at the data lake filesystem level to make it bit more restrictive. Is it possible to do that?

# Assign Blob Data reader role to
resource "azurerm_role_assignment" "roleassignment" {
  principal_id         = var.databricks_global_reader
  role_definition_name = "Storage Blob Data reader"
  scope                = azurerm_storage_account.datahubdatalake.id
    depends_on = [
    azurerm_storage_account.datahubdatalake
  ]
}

Expected Behavior

I am expecting a possibility of role assignment to work at the container/file system level as well as mentioned in the code above.

Steps To Reproduce

No response

Anything else?

No response
@rahulgulati89 rahulgulati89 added bug Something isn't working example labels Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working example
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rahulgulati89