Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
brave-winter-60074
04/21/2021, 12:16 PMIs it possible in pulumi (perhaps Azure Native) to associate a Custom Role to a managed Identity like in the step “Associating the Managed Identity to the Application Role” here in this blogpost? https://notetoself.tech/2021/04/05/calling-api-management-from-azure-function-using-managed-identities/
t
tall-librarian-49374
04/21/2021, 12:31 PMThis sounds like a RoleAssignment as in https://github.com/mikhailshilkov/temporal-samples/blob/main/azure-aks/temporal.ts#L73
b
brave-winter-60074
04/21/2021, 1:13 PMThanks
@tall-librarian-49374 We get an error where it says it :
azure-native:authorization:RoleAssignment (access-from-orchestrator):
error: autorest/azure: Service returned an error. Status=400 Code=“RoleDefinitionDoesNotExist” Message=“The specified role definition with ID ‘0cf26f03409f8c83823e026178cc1238’ does not exist.“,
when we try to create a roleassignment to a role in our newly created App registration (using AzureAD Pulumi). seems like the path for the role should be something else than the
/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/t
tall-librarian-49374
04/26/2021, 12:56 PM0cf26f03409f8c83823e026178cc1238Basically, I create role assignments like this every day…
b
brave-winter-60074
04/26/2021, 1:42 PMWhat would be a valid role definition id then?
and thanx for answering
t
tall-librarian-49374
04/26/2021, 2:18 PMAs shown in that example, “/subscriptions/{guid}/providers/Microsoft.Authorization/roleDefinitions/{guid}”
b
brave-winter-60074
04/26/2021, 2:58 PMIt is a guid that we assign so perhaps its just azures error message that confuses 0cf26f03-409f-8c83-823e-026178cc1238
Its an App registration application role that we would like to assign to a function app, event grid topic or the api mangement…
heres our code
var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
PrincipalId = serviecPrincipal.ObjectId,
PrincipalType = PrincipalType.Application,
RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});t
tall-librarian-49374
04/26/2021, 3:10 PMWhat is
rolesIs that a custom role? Google doesn’t seem to know this guid.
b
brave-winter-60074
04/29/2021, 6:58 AM@tall-librarian-49374 Sorry for not seeing your message roles is using Pulumi AzureAD to create an Application with AppRoles
var appRegistration = CreateAppRegistration(this.AppRegistrationIdentifierUri);private Application CreateAppRegistration(Output<string> appRegistrationIdentifierUri)
{
var appRegistration = new Application("appregistration", new ApplicationArgs
{
AppRoles = new InputList<Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs>() {
new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
Description = "Chipper Orchestrator Role",
AllowedMemberTypes = { "Application" },
DisplayName = "Chipper Orchestrator",
IsEnabled = true,
Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-orchestrator-{sfix}")//"Chipper_Orchestrator"
},
new Pulumi.AzureAD.Inputs.ApplicationAppRoleArgs {
Description = "Api Management Role",
AllowedMemberTypes = { "Application" },
DisplayName = "Api Management",
IsEnabled = true,
Value = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-management-{sfix}")//"Chipper_Orchestrator"
}
},
AvailableToOtherTenants = false,
DisplayName = this.CoreRandomSuffix.Apply(sfix=> $"chipper-api-{sfix}"),
Oauth2AllowImplicitFlow = false,
Type = "webapp/api",
IdentifierUris = new InputList<string>()
{
appRegistrationIdentifierUri,
}
});
return appRegistration;
}var roleAssignment = new RoleAssignment("access-from-orchestrator", new RoleAssignmentArgs()
{
PrincipalId = serviecPrincipal.ObjectId,
PrincipalType = PrincipalType.Application,
RoleDefinitionId = appRoles.Apply(roles => $"/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/providers/Microsoft.Authorization/roleDefinitions/{roles.FirstOrDefault().Id}"),
RoleAssignmentName = "1195abcd-4ed3-4680-a7ca-43fe172d538d",
Scope = "/subscriptions/4ee3dbb4-78c1-41f3-ac96-39204a8e828e/resourceGroups/chipper-dev-security-t2/providers/Microsoft.ApiManagement/service/api-management-v89491"
});t
tall-librarian-49374
04/29/2021, 7:44 AMI think App Roles and Azure AD Roles are different things.
App roles are custom roles to assign permissions to users or apps. The application defines and publishes the app roles and interprets them as permissions during authorization.
Administrative roles can be used to grant access to Azure AD and other Microsoft services
🤗 1
Sorry if I lead you to the wrong path
I believe you need an Azure AD feature that is currently missing. Probably, one of these two issues
https://github.com/hashicorp/terraform-provider-azuread/issues/164
https://github.com/hashicorp/terraform-provider-azuread/issues/230
🤗 1