question

rdth-0524 avatar image
0 Votes"
rdth-0524 asked SaurabhSharma-msft answered

Powershell - which cmdlet to assign rights to a Managed Identity

Hi, I want to automate granting a managed identity to access a gen 2 data lake using Powershell. This is to allow my Data Factory ADLS based linked service to communicate with the storage account..

What powershell cmdlet would I use to achieve such a task?

Thanks in advance

azure-data-factorywindows-server-powershellazure-data-lake-storage
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NandanHegde-7720 avatar image NandanHegde-7720 ·

Hey ,

Is your ask about creating a linked service in ADF to ADLS via Managed identity or to add the ADF as an RBAC role in ADLS for it to leverage Managed identity?

0 Votes 0 ·
rdth-0524 avatar image rdth-0524 NandanHegde-7720 ·

Hello - it is for 2nd scenario "to add the ADF as an RBAC role in ADLS for it to leverage Managed identity?"

Thanks

0 Votes 0 ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered

Hi @rdth-0524,

Thanks for using Microsoft Q&A!!
If I understand correctly, you want to provide access to managed identity of your ADF to ADLS Gen2 based storage linked service.
In order to do so, you need to either use PowerShell cmdlet -`New-AzRoleAssignment` or CLI cmdlet - az role assignment create. You can either provide "Storage Blob Data Reader" or "Storage Blob Data Contributor" role to grant access as per the documentation Storage Gen2 - System-assigned managed identity authentication for source or sink purpose.
Your PowerShell/CLI command will look like below -
New-AzRoleAssignment -ObjectId "{ADF-Managed-Identity-Id}" -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/{Subscription Id}/resourceGroups/{Resource group Name}/providers/Microsoft.Storage/storageAccounts/{Storage Account Name}"
OR
az role assignment create --assignee "{ADF-Managed-Identity-Id}" --role "Storage Blob Data Contributor" --scope "/subscriptions/{Subscription Id}/resourceGroups/{Resource group Name}/providers/Microsoft.Storage/storageAccounts/{Storage Account Name}"

Here, you can get the managed identity of your ADF from linked service popup blade from ADF UI.
You can get the resource scope of the storage account by going to Azure Portal > ADLS Gen2 Storage Account Name > Endpoints
186190-image.png

Once proper permissions are granted, you should be able to validate the Linked Services -
186266-image.png

Please refer to below documents for additional details -

Please let me know if you have any questions.

Thanks
Saurabh

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


image.png (24.4 KiB)
image.png (38.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.