https://pulumi.com logo
Join Slack
Powered by
Is it possible in pulumi (perhaps Azure Native) to...
# azure
b
Is it possible in pulumi (perhaps Azure Native) to associate a Custom Role to a managed Identity like in the step “Associating the Managed Identity to the Application Role” here in this blogpost? https://notetoself.tech/2021/04/05/calling-api-management-from-azure-function-using-managed-identities/
t
b
Thanks
@tall-librarian-49374 We get an error where it says it : azure-nativeauthorizationRoleAssignment (access-from-orchestrator): error: autorest/azure: Service returned an error. Status=400 Code=“RoleDefinitionDoesNotExist” Message=“The specified role definition with ID ‘0cf26f03409f8c83823e026178cc1238’ does not exist.“, when we try to create a roleassignment to a role in our newly created App registration (using AzureAD Pulumi). seems like the path for the role should be something else than the
Copy code
/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/
Here is the role defined under our app registration where the ID matches the one that Pulumi cannot find. Any ideas how to solve this? Thanx in advance
t
0cf26f03409f8c83823e026178cc1238
doesn’t sound like a valid role definition ID
Basically, I create role assignments like this every day…
b
What would be a valid role definition id then?
and thanx for answering
t
As shown in that example, “/subscriptions/{guid}/providers/Microsoft.Authorization/roleDefinitions/{guid}”
b
It is a guid that we assign so perhaps its just azures error message that confuses 0cf26f03-409f-8c83-823e-026178cc1238 Its an App registration application role that we would like to assign to a function app, event grid topic or the api mangement…
heres our code
Copy code
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
    PrincipalId = serviecPrincipal.ObjectId,
    PrincipalType = PrincipalType.Application,
    RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
    RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
    Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
t
What is 
roles
?
Is that a custom role? Google doesn’t seem to know this guid.
b
@tall-librarian-49374 Sorry for not seeing your message roles is using Pulumi AzureAD to create an Application with AppRoles
Copy code
var appRegistration = CreateAppRegistration(this.AppRegistrationIdentifierUri);
Copy code
private Application CreateAppRegistration(Output<string> appRegistrationIdentifierUri)
{
    var appRegistration = new Application("appregistration", new ApplicationArgs
    {
        
        AppRoles = new InputList<Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs>() {
            new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
                Description = "Chipper Orchestrator Role",
                AllowedMemberTypes = { "Application" },
                DisplayName = "Chipper Orchestrator",
                IsEnabled = true,
                Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-orchestrator-{sfix}")//"Chipper_Orchestrator"
            },
            new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
                Description = "Api Management Role",
                AllowedMemberTypes = { "Application" },
                DisplayName = "Api Management",
                IsEnabled = true,
                Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-management-{sfix}")//"Chipper_Orchestrator"
            }             
        },
       
        AvailableToOtherTenants = false,
        DisplayName = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-{sfix}"),
        Oauth2AllowImplicitFlow = false,
        Type = "webapp/api",
        IdentifierUris = new InputList<string>()
        {
            appRegistrationIdentifierUri,
            
        }
        
        
            
    });
    
    
    return appRegistration;
}
and then roles is the output of that creation var appRoles = appRegistration.AppRoles; And our role assignment
Copy code
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
    PrincipalId = serviecPrincipal.ObjectId,
    PrincipalType = PrincipalType.Application,
    RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
    RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
    Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
so the process is creating an application with Pulumi.AzureAD with approles, using that output to assign a role to ie our api manager and for testing purpuse we just use the ID attribute on the approle in our /subscription…. parameter
t
I think App Roles and Azure AD Roles are different things.
App roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization.
Administrative roles can be used to grant access to Azure AD and other Microsoft services
🤗 1
Sorry if I lead you to the wrong path
I believe you need an Azure AD feature that is currently missing. Probably, one of these two issues https://github.com/hashicorp/terraform-provider-azuread/issues/164 https://github.com/hashicorp/terraform-provider-azuread/issues/230
🤗 1
3 Views
Open in Slack
PreviousNext
Powered by