This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 64%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXB%3C/text%3E%3C/svg%3E)
I deployed my Azure Function app using ARM template, everything looks fine, except for one issue, I'm trying to assign roles using the setting below:
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), 'blob-contributor')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2016-08-01', 'Full').identity.principalId]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), 'table-data-contributor')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2016-08-01', 'Full').identity.principalId]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), 'queue-contributor')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2016-08-01', 'Full').identity.principalId]"
}
}
I got three roles set up successfully:
But got one missing:
Could anyone give any advice about what's wrong with my settings?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 39%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Hello Xiuyang Bobby Sun,
Thanks for reaching out, could you please check this and provide us with an update.
You're assigning roles correctly in your ARM template, but the issue with the "Storage Table Data Contributor" role likely stems from a timing or scope-related issue. According to Microsoft's documentation, this role must be assigned at the storage account, resource group, or subscription level—not at the individual table level. Your current scope is correct, but the problem may be that the Function App’s system-assigned managed identity isn't fully provisioned when the role assignment executes.
I think so, it should be some time issue, but not sure how to resolve it. I have already applied 180 seconds for deployScripts:
{ //Wait for 180 seconds before starting OneDeploy to complete role assignment before deployment
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "WaitSection",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
],
"kind": "AzurePowerShell",
"properties": {
"azPowerShellVersion": "7.0",
"scriptContent": "start-sleep -Seconds 180",
"cleanupPreference": "Always",
"retentionInterval": "PT1H"
}
},
Should applying a longer delay resolve the issue, or should I add some dependsOn?
@Xiuyang Bobby Sun, could you please share the error message you are receiving while deploying the template? This will help us troubleshoot the issue further.
I didn't get any error. In the deployment process, I saw that all three roles were created successfully, just not showing up in the storage account role assignments.
@Xiuyang Bobby Sun, we really appreciate your patience. We have reproduced the issue on our end and are discussing it with our internal team. We will update you as soon as we have more information.
Hi, I have resolved the issue. The role ID I used, '17d1049b-9a84-46fb-8f53-869881c3d3ab,' is expired or, for some other reason, not used for Storage Table Data Contributor. I have updated to use '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' as the role ID, and it works fine now. Thanks for looking into the issue.