Skip to content

Commit

Permalink
Merge pull request Azure#828 from Azure/add-cs-token-role
Browse files Browse the repository at this point in the history
Remove contributer role from CS Managed Identity
  • Loading branch information
janboll authored Nov 13, 2024
2 parents 98577f2 + 2dba4a7 commit a97997b
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 14 deletions.
21 changes: 10 additions & 11 deletions dev-infrastructure/modules/acr-permissions.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ param principalId string
@description('Whether to grant push access to the ACR')
param grantPushAccess bool = false

@description('Whether to grant contributor access to the ACR')
param grantContributorAccess bool = false
@description('Whether to grant manage token access to the ACR')
param grantManageTokenAccess bool = true

@description('ACR Namespace Resource Group Name')
@description('ACR Namespace Resource Group Id')
param acrResourceGroupid string

var acrPullRoleDefinitionId = subscriptionResourceId(
Expand All @@ -25,11 +25,6 @@ var acrDeleteRoleDefinitionId = subscriptionResourceId(
'c2f4ef07-c644-48eb-af81-4b1b4947fb11'
)

var contributorRoleDefinitionId = subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions/',
'b24988ac-6180-42a0-ab88-20f7382dd24c'
)

resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) {
name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId)
properties: {
Expand Down Expand Up @@ -57,10 +52,14 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
}
}

resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantContributorAccess) {
name: guid(acrResourceGroupid, principalId, contributorRoleDefinitionId)
resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess) {
name: guid(acrResourceGroupid, 'token-creation-role')
}

resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
name: guid(acrResourceGroupid, principalId, 'token-creation-role')
properties: {
roleDefinitionId: contributorRoleDefinitionId
roleDefinitionId: tokenManagementRole.id
principalId: principalId
principalType: 'ServicePrincipal'
}
Expand Down
23 changes: 23 additions & 0 deletions dev-infrastructure/modules/acr/acr.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,26 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleId)
}
}

resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
name: guid(resourceGroup().id, 'token-creation-role')
properties: {
assignableScopes: [
subscription().id
resourceGroup().id
]
description: 'This role allows the management of tokens in the ACR'
permissions: [
{
actions: [
'Microsoft.ContainerRegistry/registries/tokens/read'
'Microsoft.ContainerRegistry/registries/tokens/write'
'Microsoft.ContainerRegistry/registries/tokens/delete'
'Microsoft.ContainerRegistry/registries/generateCredentials/action'
'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
]
}
]
roleName: 'ACR Manage Tokens'
}
}
6 changes: 3 additions & 3 deletions dev-infrastructure/templates/svc-cluster.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -366,13 +366,13 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20
}
]

module acrContributorRole '../modules/acr-permissions.bicep' = [
module acrManageTokenRole '../modules/acr-permissions.bicep' = [
for (_, i) in clustersServiceAcrResourceGroupNames: {
name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'contributor')
name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens')
scope: clustersServiceAcrResourceGroups[i]
params: {
principalId: csManagedIdentityPrincipalId
grantContributorAccess: true
grantManageTokenAccess: true
acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
}
}
Expand Down

0 comments on commit a97997b

Please sign in to comment.