https://pulumi.com logo
Title
b

brave-winter-60074

04/21/2021, 12:16 PM
Is it possible in pulumi (perhaps Azure Native) to associate a Custom Role to a managed Identity like in the step “Associating the Managed Identity to the Application Role” here in this blogpost? https://notetoself.tech/2021/04/05/calling-api-management-from-azure-function-using-managed-identities/
t

tall-librarian-49374

04/21/2021, 12:31 PM
b

brave-winter-60074

04/21/2021, 1:13 PM
Thanks
@tall-librarian-49374 We get an error where it says it : azure-native:authorization:RoleAssignment (access-from-orchestrator): error: autorest/azure: Service returned an error. Status=400 Code=“RoleDefinitionDoesNotExist” Message=“The specified role definition with ID ‘0cf26f03409f8c83823e026178cc1238’ does not exist.“, when we try to create a roleassignment to a role in our newly created App registration (using AzureAD Pulumi). seems like the path for the role should be something else than the
/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/
Here is the role defined under our app registration where the ID matches the one that Pulumi cannot find. Any ideas how to solve this? Thanx in advance
t

tall-librarian-49374

04/26/2021, 12:56 PM
0cf26f03409f8c83823e026178cc1238
doesn’t sound like a valid role definition ID
Basically, I create role assignments like this every day…
b

brave-winter-60074

04/26/2021, 1:42 PM
What would be a valid role definition id then?
and thanx for answering
t

tall-librarian-49374

04/26/2021, 2:18 PM
As shown in that example, “/subscriptions/{guid}/providers/Microsoft.Authorization/roleDefinitions/{guid}”
b

brave-winter-60074

04/26/2021, 2:58 PM
It is a guid that we assign so perhaps its just azures error message that confuses 0cf26f03-409f-8c83-823e-026178cc1238 Its an App registration application role that we would like to assign to a function app, event grid topic or the api mangement…
heres our code
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
    PrincipalId = serviecPrincipal.ObjectId,
    PrincipalType = PrincipalType.Application,
    RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
    RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
    Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
t

tall-librarian-49374

04/26/2021, 3:10 PM
What is
roles
?
Is that a custom role? Google doesn’t seem to know this guid.
b

brave-winter-60074

04/29/2021, 6:58 AM
@tall-librarian-49374 Sorry for not seeing your message roles is using Pulumi AzureAD to create an Application with AppRoles
var appRegistration = CreateAppRegistration(this.AppRegistrationIdentifierUri);
private Application CreateAppRegistration(Output<string> appRegistrationIdentifierUri)
{
    var appRegistration = new Application("appregistration", new ApplicationArgs
    {
        
        AppRoles = new InputList<Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs>() {
            new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
                Description = "Chipper Orchestrator Role",
                AllowedMemberTypes = { "Application" },
                DisplayName = "Chipper Orchestrator",
                IsEnabled = true,
                Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-orchestrator-{sfix}")//"Chipper_Orchestrator"
            },
            new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
                Description = "Api Management Role",
                AllowedMemberTypes = { "Application" },
                DisplayName = "Api Management",
                IsEnabled = true,
                Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-management-{sfix}")//"Chipper_Orchestrator"
            }             
        },
       
        AvailableToOtherTenants = false,
        DisplayName = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-{sfix}"),
        Oauth2AllowImplicitFlow = false,
        Type = "webapp/api",
        IdentifierUris = new InputList<string>()
        {
            appRegistrationIdentifierUri,
            
        }
        
        
            
    });
    
    
    return appRegistration;
}
and then roles is the output of that creation var appRoles = appRegistration.AppRoles; And our role assignment
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
    PrincipalId = serviecPrincipal.ObjectId,
    PrincipalType = PrincipalType.Application,
    RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
    RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
    Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
so the process is creating an application with Pulumi.AzureAD with approles, using that output to assign a role to ie our api manager and for testing purpuse we just use the ID attribute on the approle in our /subscription…. parameter
t

tall-librarian-49374

04/29/2021, 7:44 AM
I think App Roles and Azure AD Roles are different things.
App roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization.
Administrative roles can be used to grant access to Azure AD and other Microsoft services
🤗 1
Sorry if I lead you to the wrong path
I believe you need an Azure AD feature that is currently missing. Probably, one of these two issues https://github.com/hashicorp/terraform-provider-azuread/issues/164 https://github.com/hashicorp/terraform-provider-azuread/issues/230
🤗 1