Skip to content

Commit

Permalink
Remove contributer role from CS Managed Identity
Browse files Browse the repository at this point in the history
Only have permissions to create tokens, contributer is to broad
  • Loading branch information
janboll committed Nov 12, 2024
1 parent 07deb79 commit bcba7ed
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 14 deletions.
40 changes: 29 additions & 11 deletions dev-infrastructure/modules/acr-permissions.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ param principalId string
@description('Whether to grant push access to the ACR')
param grantPushAccess bool = false

@description('Whether to grant contributor access to the ACR')
param grantContributorAccess bool = false
@description('Whether to grant manage token access to the ACR')
param grantManageTokenAccess bool = true

@description('ACR Namespace Resource Group Name')
@description('ACR Namespace Resource Group Id')
param acrResourceGroupid string

var acrPullRoleDefinitionId = subscriptionResourceId(
Expand All @@ -25,11 +25,6 @@ var acrDeleteRoleDefinitionId = subscriptionResourceId(
'c2f4ef07-c644-48eb-af81-4b1b4947fb11'
)

var contributorRoleDefinitionId = subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions/',
'b24988ac-6180-42a0-ab88-20f7382dd24c'
)

resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) {
name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId)
properties: {
Expand Down Expand Up @@ -57,10 +52,33 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
}
}

resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantContributorAccess) {
name: guid(acrResourceGroupid, principalId, contributorRoleDefinitionId)
resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (grantManageTokenAccess) {
name: guid(acrResourceGroupid, principalId, 'token-creation-role')
properties: {
assignableScopes: [
subscription().id
acrResourceGroupid
]
description: 'This role allows the management of tokens in the ACR'
permissions: [
{
actions: [
'Microsoft.ContainerRegistry/registries/tokens/read'
'Microsoft.ContainerRegistry/registries/tokens/write'
'Microsoft.ContainerRegistry/registries/tokens/delete'
'Microsoft.ContainerRegistry/registries/generateCredentials/action'
'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
]
}
]
roleName: 'ACR Manage Tokens'
}
}

resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
name: guid(acrResourceGroupid, principalId, 'token-creation-role')
properties: {
roleDefinitionId: contributorRoleDefinitionId
roleDefinitionId: tokenManagementRole.id
principalId: principalId
principalType: 'ServicePrincipal'
}
Expand Down
6 changes: 3 additions & 3 deletions dev-infrastructure/templates/svc-cluster.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -366,13 +366,13 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20
}
]

module acrContributorRole '../modules/acr-permissions.bicep' = [
module acrManageTokenRole '../modules/acr-permissions.bicep' = [
for (_, i) in clustersServiceAcrResourceGroupNames: {
name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'contributor')
name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens')
scope: clustersServiceAcrResourceGroups[i]
params: {
principalId: csManagedIdentityPrincipalId
grantContributorAccess: true
grantManageTokenAccess: true
acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
}
}
Expand Down

0 comments on commit bcba7ed

Please sign in to comment.