brave-winter-60074
04/21/2021, 12:16 PMtall-librarian-49374
04/21/2021, 12:31 PMbrave-winter-60074
04/21/2021, 1:13 PM/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/
Here is the role defined under our app registration where the ID matches the one that Pulumi cannot find.
Any ideas how to solve this?
Thanx in advancetall-librarian-49374
04/26/2021, 12:56 PM0cf26f03409f8c83823e026178cc1238
doesn’t sound like a valid role definition IDbrave-winter-60074
04/26/2021, 1:42 PMtall-librarian-49374
04/26/2021, 2:18 PMbrave-winter-60074
04/26/2021, 2:58 PMvar roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
PrincipalId = serviecPrincipal.ObjectId,
PrincipalType = PrincipalType.Application,
RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
tall-librarian-49374
04/26/2021, 3:10 PMroles
?brave-winter-60074
04/29/2021, 6:58 AMvar appRegistration = CreateAppRegistration(this.AppRegistrationIdentifierUri);
private Application CreateAppRegistration(Output<string> appRegistrationIdentifierUri)
{
var appRegistration = new Application("appregistration", new ApplicationArgs
{
AppRoles = new InputList<Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs>() {
new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
Description = "Chipper Orchestrator Role",
AllowedMemberTypes = { "Application" },
DisplayName = "Chipper Orchestrator",
IsEnabled = true,
Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-orchestrator-{sfix}")//"Chipper_Orchestrator"
},
new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
Description = "Api Management Role",
AllowedMemberTypes = { "Application" },
DisplayName = "Api Management",
IsEnabled = true,
Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-management-{sfix}")//"Chipper_Orchestrator"
}
},
AvailableToOtherTenants = false,
DisplayName = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-{sfix}"),
Oauth2AllowImplicitFlow = false,
Type = "webapp/api",
IdentifierUris = new InputList<string>()
{
appRegistrationIdentifierUri,
}
});
return appRegistration;
}
and then roles is the output of that creation
var appRoles = appRegistration.AppRoles;
And our role assignment
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
PrincipalId = serviecPrincipal.ObjectId,
PrincipalType = PrincipalType.Application,
RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});
so the process is creating an application with Pulumi.AzureAD with approles, using that output to assign a role to ie our api manager and for testing purpuse we just use the ID attribute on the approle in our /subscription…. parametertall-librarian-49374
04/29/2021, 7:44 AMApp roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization.
Administrative roles can be used to grant access to Azure AD and other Microsoft services