Solvedbicep Scope Issue on Microsoft.Authorization/roleAssignments

Bicep version

Describe the bug
Attempting to assign RBAC Key Vault Permissions within a bicep file. Key Vault is created via a module w/ an App Service created via a separate module. Want to assign RBAC permissions to the new App Service to the new Key Vault and scope the access to just the newly created Key vault.

When doing this get:
....main.bicep(79,10) : Error BCP135: Scope "module" is not valid for this resource type. Permitted scopes: "resource", "tenant", "managementGroup", "subscription", "resourceGroup".
To Reproduce
Steps to reproduce the behavior:
Here's the code in the main.bicep file for Key Vault creation and RBAC assignment. Intellisnese also detects the invalid module type being passed in.

module keyVault 'key_vault.bicep'= {
  name: '${regionAbrv}KeyVaultDeploy'
  params: {
    appName: appBaseName
    logAnalyticsWorkspaceID: logAnalyticsWorkspace.outputs.logAnalaticsWorkspaceResourceID
resource appServiceKeyVaultAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Key Vault Secret User', 'testapp1' , subscription().subscriptionId)
  scope: keyVault
  properties: {
    roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' //Key Vault Secrets User
    principalId: appServiceModule.outputs.appServiceIdentity


Additional context
This might an issue with the provider not accepting the type....know the .Authorization one is kind of "different" since it's more integrated with Azure AD.

31 Answers

✔️Accepted Answer

I can confirm that using this works great:

var readerAndDataAccessRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c12c1c16-33a1-487b-954d-41c89c60f349')

However this was never part of my problem, my problem is the assignment scope and would be solved by passing generic references as suggested in #2246

Other Answers:

@JadedATB I had the same "The request was incorrectly formatted." - it was down to providing an invalid roleDefinitionId - it needs to be fully qualified rather than just the role GUID.

var roleID = '00000000-0000-0000-0000-000000000000'
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleId)

Can we please either have a more dynamic way to create objects of type Resource from a resourceId or be able to pass an object of type Resource as a parameter?

I'm working on a spec right now to do just that, to unblock this exact scenario - watch this space! Feedback on the spec will be greatly appreciated once it's out there.

Related Issues:

bicep Scope Issue on Microsoft.Authorization/roleAssignments
I can confirm that using this works great: However this was never part of my problem ...
azure quickstart templates resourceId() support for multi-segment sub-resources?
I think I figured this out: funny how none of the quick-start examples do this ...