https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# azure
s
This message was deleted.
w
It should be as simple as enabling the system managed identity, taking that identity ID from the output and adding the identity to the roles. There's a separate resource for role assignment.
https://github.com/martinjt/aks-otel-demo/blob/main/infra/AKSCluster.cs#L99 That's an example of taking the system managed identity out of the AKS cluster and granting it DNS Contributor roles.
a
Magic, thanks @worried-knife-31967
I ended up doing something a little different. I'm creating a User Assigned Identity rather than using the System Assigned Identity of a resource...
Copy code
var identity = new UserAssignedIdentity(NameGenerator.ManagedIdentity("marketplace"), new UserAssignedIdentityArgs
    {
        ResourceGroupName = resourceGroup.Name
    });
Then assigning it to my Azure Web App via the Identity property, and then assigining it to each service where access is required. For example, here is a Storage Account...
Copy code
var roleAssignment = new RoleAssignment("storageAccountRoleAssignment", new RoleAssignmentArgs
        {
            PrincipalId = identity.PrincipalId.Apply(x => x),
            RoleDefinitionId = RoleDefinitions.StorageAccountContributor,
            Scope = Resource.Id,
            PrincipalType = PrincipalType.ServicePrincipal
        });
Though now I am wondering if using System Assigned may be better than User Assigned 😄
w
User Assigned can be useful, especially if you have a fleet of services that need the same access, that way, you can add them to groups, but you can do that with system managed too. User Assigned will also live beyond the appservice, so you can replace it easier.
👍 1
Open in Slack
PreviousNext
Powered by