Role based access control administrator role not working for Managed Identities

Copper Contributor

Hi,

 

I was testing with conditions available within "Role Based Access Control Administrator". The condition was /role assignments/write can be used to assign permissions only to service principals & not to any user, group. Similarly except Privileged roles. I dont have to a specific option for Managed Identity, so choose to restrict it to Service Princiapl. Now when i assign this to an user it works as expected. The user is not able to assign back any roles to other users or groups. But when tried with a Managed Identity it fails. That Managed Identity is not able to assign permissions to other MI's. i just recieve the below error:

 

╷│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '1cddb99b-58d8-49ba-b77a-ef3e55242591' with object id '1cddb99b-58d8-49ba-b77a-ef3e55242591' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<<sub-id>>/providers/Microsoft.Authorization/roleAssignments/cbc0b177-e87c-69dd-15c4-0fea750aac9a' or the scope is invalid. If access was recently granted, please refresh your credentials."││   with module.aks_identity.azurerm_role_assignment.assign-role-to-resource["ids-Operator"],│   on ../../modules/user_assigned_identity/main.tf line 17, in resource "azurerm_role_assignment" "assign-role-to-resource":│   17: resource "azurerm_role_assignment" "assign-role-to-resource" {│╵

 

When I translate this error:

The Client “managed identity name” with object id…. does not have authorization…to assign “Managed Identity Operator”

 

Now for more details, this is the MI to which i have assigned that RBAC role with conditions set.

1 Reply
I feel that for some reason in the backend , it is not able to recognize the Managed Identity. any help here is appreciated.