Azure Lighthouse — Deployment Error (data actions not allowed)

I’ve been designing some templates for Azure Lighthouse deployments recently to delegate access and allow customer subscriptions to be managed from a central location.

Orginally I had the following groups defined in the template to delegate access to Key Vault and Storage Account File Shares and Blobs:

{"principalId": "a627a78f-c2f2-4b34-b13c-9bbf46a768a8","principalIdDisplayName": "KVCertificates","roleDefinitionId": "a4417e6f-fecd-4de8-b567-7b0420556985"},{"principalId": "264f0c6d-851f-4e18-b511-b64aaa3be3e9","principalIdDisplayName": "KVSecrets","roleDefinitionId": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7"},{"principalId": "89e8f1c2-5260-4041-a837-688b2ab79e39","principalIdDisplayName": "KVKeys","roleDefinitionId": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603"},{"principalId": "2e4a624d-c9f5-49f8-9e78-16ce9ed09628","principalIdDisplayName": "SAFileShareContributor","roleDefinitionId": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb"},{"principalId": "f231666f-77e8-4b82-9fe2-32cb8907e947","principalIdDisplayName": "SABlobDataContributor","roleDefinitionId": "ba92f5b4-2d11-453d-a403-e96b0029c9fe"},

And swiftly ran into this error when deploying the template:

New-AzSubscriptionDeployment : 16:28:54 - The deployment 'lighthouse' failed with error(s). Showing 1 out of 1 error(s).Status Message: The role definition 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' with data actions not allowed for registration definition '263f62fb-ac4e-5c57-b9ba-67cb6a1717a3'. Only built in role definitions without any data and notData actions are allowed. (Code:InvalidRegistrationDefinitionCreateRequest)CorrelationId: f22f3e57-5cf5-459b-aba0-d08bc3a3aaccAt line:1 char:1+ New-AzSubscriptionDeployment -Name lighthouse -Location uksouth ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [New-AzDeployment], Exception+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureSubscriptionDeploymentCmdlet

Turns out you cannot use Lighthouse with role definitions that have data actions (i.e. allows access to the data plane rather than the resource itself).

Worth bearing in mind when designing your access model, AAD group structure and lighthouse templates!

A blog focused on all things Cloud and DevOps. Specialising in Azure & Terraform!