Today I needed to automate a standard scenario in Azure: connecting a Web App Service (in my case ASP.NET Core) to Azure BLOB and Table Storage. The auth is being done through Managed Identites, so the Web App’s identity needs to be granted read/write access to the Storage Account using RBAC. And this should all be automated in Bicep.
The noteworthy part here is that you’ll first need to find the ID for the in-built role you want to assign to the Web App. These ids can be found here. To access both table and blob content you’ll need to add both the Storage Table Data Contributor and Storage Blob Data Contributor roles.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param location string | |
param appServicePlanName string | |
param appServicePlanSku string | |
param webAppName string | |
param storageAccountName string | |
resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = { | |
name: appServicePlanName | |
location: location | |
kind: 'linux' | |
properties: { | |
reserved: true | |
} | |
sku: { | |
name: appServicePlanSku | |
} | |
} | |
resource webApp 'Microsoft.Web/sites@2022-09-01' = { | |
name: webAppName | |
location: location | |
properties: { | |
serverFarmId: appServicePlan.id | |
siteConfig: { | |
linuxFxVersion: 'DOTNETCORE|6.0' | |
alwaysOn: true | |
} | |
httpsOnly: true | |
clientAffinityEnabled: false | |
} | |
identity: { | |
type: 'SystemAssigned' | |
} | |
} | |
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { | |
name: storageAccountName | |
location: location | |
sku: { | |
name: 'Standard_LRS' | |
} | |
kind: 'StorageV2' | |
properties: { | |
accessTier: 'Hot' | |
allowBlobPublicAccess: true | |
supportsHttpsTrafficOnly: true | |
minimumTlsVersion: 'TLS1_2' | |
} | |
} | |
resource storageTableDataContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { | |
scope: subscription() | |
name: '17d1049b-9a84-46fb-8f53-869881c3d3ab' | |
} | |
resource tableRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | |
name: guid(resourceGroup().id, webApp.id, storageTableDataContributorRoleDefinition.id) | |
scope: storageAccount | |
properties: { | |
roleDefinitionId: storageTableDataContributorRoleDefinition.id | |
principalId: webApp.identity.principalId | |
} | |
} | |
resource storageBlobDataContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { | |
scope: subscription() | |
name: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' | |
} | |
resource blobRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | |
name: guid(resourceGroup().id, webApp.id, storageBlobDataContributorRoleDefinition.id) | |
scope: storageAccount | |
properties: { | |
roleDefinitionId: storageBlobDataContributorRoleDefinition.id | |
principalId: webApp.identity.principalId | |
} | |
} | |