I am trying to add the azure Roles for a Principal Id on my azure storage account(Gen2 DataLake with hierarchical namespace) but getting the error in the pipeline.
Code ->
## Add conformed layer file system resource "azurerm_storage_data_lake_gen2_filesystem" "datahubdatalakesaxoconformed" { name = var.datalake_conformed_file_system storage_account_id = azurerm_storage_account.datahubdatalake.id }
# Assign Blob Data reader role
resource "azurerm_role_assignment" "roleassignmentconformed" {
principal_id = var.unity_catalog_global_access
role_definition_name = "Storage Blob Data Contributor"
scope = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id
}
Error ->
Error: expected scope to be one of [/providers/Microsoft.Subscription], got https://saxodatahubdatalakedev.dfs.core.windows.net/datahub-conformed │ │ with azurerm_role_assignment.roleassignmentconformed, │ on main.tf line 193, in resource "azurerm_role_assignment" "roleassignmentconformed": │ 193: scope = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id │ ╵
However if i change the above code like below, then it works but the issue is that the working one will assign the "Storage Account Contributor" role at the account level. I need to assign roles for an Azure Managed Identity at the data lake filesystem level to make it bit more restrictive. Is it possible to do that?
# Assign Blob Data reader role to
resource "azurerm_role_assignment" "roleassignment" {
principal_id = var.databricks_global_reader
role_definition_name = "Storage Blob Data reader"
scope = azurerm_storage_account.datahubdatalake.id
depends_on = [
azurerm_storage_account.datahubdatalake
]
}
Expected Behavior
I am expecting a possibility of role assignment to work at the container/file system level as well as mentioned in the code above.
Is there an existing issue for this?
Example Name
Terraform Azure RM Role assignment
Terraform Version
1.3.1
Current Behavior
I am trying to add the azure Roles for a Principal Id on my azure storage account(Gen2 DataLake with hierarchical namespace) but getting the error in the pipeline.
Code ->
## Add conformed layer file system resource "azurerm_storage_data_lake_gen2_filesystem" "datahubdatalakesaxoconformed" { name = var.datalake_conformed_file_system storage_account_id = azurerm_storage_account.datahubdatalake.id }Error ->
Error: expected scope to be one of [/providers/Microsoft.Subscription], got https://saxodatahubdatalakedev.dfs.core.windows.net/datahub-conformed │ │ with azurerm_role_assignment.roleassignmentconformed, │ on main.tf line 193, in resource "azurerm_role_assignment" "roleassignmentconformed": │ 193: scope = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id │ ╵However if i change the above code like below, then it works but the issue is that the working one will assign the "Storage Account Contributor" role at the account level. I need to assign roles for an Azure Managed Identity at the data lake filesystem level to make it bit more restrictive. Is it possible to do that?
Expected Behavior
I am expecting a possibility of role assignment to work at the container/file system level as well as mentioned in the code above.
Steps To Reproduce
No response
Anything else?
No response