Update advanced installation script with a try-catch for App Reg role assignment

Avatar
Kyle Jones

The current ‘AddArmRole’ function appears to be a blocker on the advanced installation script. With a recent customer, we built a brand new app registration and utilized the default ‘deploy-az.ps1’ file from the Nerdio Manager initial install and it failed at that step. When adding a ‘try-catch’ call, it allows the continuation of the script. Thinking that this try-catch should be implemented in the script, or something similar, so the script can continue and inform the admin to proceed with a manual RBAC assignment of the SPN to the subscription.

Existing 

function AddArmRole($objectId, $scope, $roleName) {

    $role = Get-AzRoleAssignment -ObjectId $objectId  -Scope $scope | Where-Object {$_.Scope -eq $scope -and $_.RoleDefinitionName -eq $roleName }

    if (!$role) {

        New-AzRoleAssignment -ObjectId $objectId -Scope $scope -RoleDefinitionName $roleName

    }

}

Proposed 

function AddArmRole($objectId, $scope, $roleName) {

    $role = Get-AzRoleAssignment -ObjectId $objectId  -Scope $scope | Where-Object {$_.Scope -eq $scope -and $_.RoleDefinitionName -eq $roleName }

    if (!$role) {

        try {

            New-AzRoleAssignment -ObjectId $objectId -Scope $scope -RoleDefinitionName $roleName -ErrorAction Stop

        } catch {

            Write-Host "Failed to assign role '$roleName' to object '$objectId' at scope '$scope': $($_.Exception.Message)"

        }

    }

}

1

Comments (3 comments)

Sort by
0
Avatar
Carl Long
Thank you for your feature request—your input helps shape our roadmap.

Next steps:
     • We will review your request and update its status as it moves through the evaluation process.
     • If we need more details, we'll reach out in the comments.

We also welcome additional feedback and votes from the community.
0
Avatar
Chad Manzer

Thanks for sharing this, do you have any details as to why the New-AzRoleAssignment failed?  I'd like to try to add a better prerequisite check if there was a missing permission or some something like a RBAC propagation delay?

I will at least take this back to add in better error handling/ error surfacing like you provided above. Appreciate you sharing both the problem and the potential solution.

0
Avatar
Kyle Jones

Chad Manzer 

Thanks for reaching out. The issue is that the script fails to assign the role when the role doesn't exist.. so there isn't necessarily any RBAC propagation delay because the role doesn't exist. 

The exact error message is: “New-AzRoleAssignment: Operation returned an invalid status code 'BadRequest'”. 

I think the issue is the command in function may not function properly anymore. When running “New-AzRoleAssignment -ObjectId $objectId -Scope $scope -RoleDefinitionName $roleName” outside of the script, on its own, it fails with the same error. However, if I do “New-AzRoleAssignment -ApplicationId $appId -Scope $scope -RoleDefinitionName $roleName”, this works fine. 

I updated the fuller spectrum of the script to reference the appID instead of the objectID and that worked really well. 

Please sign in to leave a comment.