azure - Can I apply permissions through an ARM template?

Question

In Azure, if I want to give read-access for a resource group through RBAC, can I do that through an ARM template? I know it's possible through a VSTS build step or a PS script, but is there any way to give permissions through ARM templates?

Answer 1

No, this is not posible due to the fact that REST call to apply permissions is something like this:

/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/xxx

You cannot replicate subscription "level" rest calls with an ARM template yet.

Welp, contrary to everything I know, this works:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "8446a13c-6886-46e2-a17f-9df73adb334e",
            "apiVersion": "2017-10-01-preview",
            "location": "[resourceGroup().location]",
            "properties": {
                "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
                "principalId": "user_guid_goes_here",
                "scope": "[resourceGroup().Id]"
            }
        }
    ]
}

This assigns contributor role to the user with provided guid (principalId) to the resource group where you deploy the template. to assign other role get its guid and replace the contributor guid (b24988ac-6180-42a0-ab88-20f7382dd24c - well known guid). You can also assign permissions to specific resource. Use scope to do that (change it to resourceId). Name has to be a new guid.

I have no idea why this works, i will get back to you when i find out why it works.