I try to script grant role to Azure Data Lake gen2. The is no issue with adding this for Service Account:
$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'
$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
The issue is I want to grand permission on container level - not service account level. Above scrip generate on container level: Parent resource (inherited) but what is need is: This resource.
I can do it through portal, but is not valid solution for my case.
If you want to grand permission on container level, please refer to the following script
Besides, please note that if you want to access Azure Blob with AD auth, you need to use these roles: Storage Blob Data Contributor, Storage Blob Data Reader and Storage Blob Data Owner. For more details, please refer to here and here