How do I get the Principal ID of a Azure Storage Sync in Terraform
azurerm_storage_sync does not return the Principal ID (GUID), but instead returns the standard ID (8 key); however, I need to grant this new Storage Sync Owner access to the Storage Account. How do I do this within the Terraform code?
resource "azurerm_storage_sync" "ena_sync" {
name = "Citrix-File-Sync-${var.environment.short}"
resource_group_name = var.azurerm_vars.azurerm_resource_group
location = var.azurerm_vars.azurerm_location
}
resource "azurerm_role_assignment" "ena_sync" {
scope = $var.storage_account
role_definition_name = "Owner"
principal_id = azurerm_storage_sync.ena_sync.id
principal_type = "ServicePrincipal"
}
The above code doesn't work, because principal_id has to be a GUID, but azurerm_storage_sync.ena_sync.id returns a 8key ID.
╷
│ Error: unexpected status 400 (400 Bad Request) with error: InvalidPrincipalId: The Principal ID '/subscriptions/.../resourceGroups/.../providers/Microsoft.StorageSync/storageSyncServices/Citrix-File-Sync-Prod' is not valid. Principal ID must be a GUID.
│
│ with azurerm_role_assignment.ena_sync,
│ on sync_group.tf line 7, in resource "azurerm_role_assignment" "ena_sync":
│ 7: resource "azurerm_role_assignment" "ena_sync" {
│
╵
According to the docs only id, incoming_traffic_policy, location & tags are returns by this command, and not much more is returned by using a data point instead of the resource, so I'm wondering if there is another method I can use to get the Principal ID.
Or, is there some other way I need to add permissions to the Storage Account for the new Sync?
Or, is there some other way I need to add permissions to the Storage Account for the new Sync?
Yes, the azurerm_storage_sync resource does not represent a service principal and thus doesn't expose a principal_id (GUID), because Azure File Sync doesn’t use a user-assigned managed identity by default, and you can't assign RBAC to the storage sync resource directly using a principal_id.
You can use the code below to add managed identity to storage sync and assign the role to the storage account using Terraform and PowerShell.
Code:
provider "azurerm" {
features {}
subscription_id = "xxxxxx"
}
variable "environment" {
default = {
short = "prod"
}
}
variable "azurerm_vars" {
default = {
azurerm_location = "eastus"
azurerm_resource_group = "xxxxxx"
}
}
# Create Resource Group
resource "azurerm_resource_group" "main" {
name = var.azurerm_vars.azurerm_resource_group
location = var.azurerm_vars.azurerm_location
}
# Create Storage Account
resource "azurerm_storage_account" "my_storage" {
name = "mystorage${var.environment.short}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "LRS"
}
# Create Azure File Sync Service
resource "azurerm_storage_sync" "ena_sync" {
name = "Citrix-File-Sync-${var.environment.short}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
}
# Run PowerShell commands after Storage Sync creation to enable system-assigned identity and assign role
resource "null_resource" "enable_identity_and_role" {
depends_on = [
azurerm_storage_sync.ena_sync,
azurerm_storage_account.my_storage
]
provisioner "local-exec" {
command = <<-EOT
# Enable system-assigned identity on the Storage Sync service
$syncService = Set-AzStorageSyncService -ResourceGroupName '${var.azurerm_vars.azurerm_resource_group}' -Name 'Citrix-File-Sync-${var.environment.short}' -IdentityType 'SystemAssigned'
# Get the principal ID of the managed identity
$principalId = $syncService.Identity.PrincipalId
Write-Host "Storage Sync Service Identity PrincipalId: $principalId"
# Assign the role to the managed identity on the storage account
New-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName 'Storage File Data SMB Share Contributor' -Scope '/subscriptions/xxxxxxxx/resourceGroups/${var.azurerm_vars.azurerm_resource_group}/providers/Microsoft.Storage/storageAccounts/mystorage${var.environment.short}'
Write-Host 'Role assignment complete!'
EOT
interpreter = ["pwsh", "-Command"]
}
}
Output:
Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
Reference:
Set-AzStorageSyncService (Az.StorageSync) | Microsoft Learn
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules