Assign Multiple RoleAssignments at Different Scopes #5926
-
|
I want to create user ID (Managed Identities) and assign them multiple rbac at different scopes. For instance: ID A would have Owner and Contributor roles at rg-app In order to achieve this,
The main question: For example: targetScope = 'subscription'
// ...
resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
name: 'vnet'
scope: resourceGroup(subscription().id, 'rg_hub_n')
}
module idDeployment 'components/id/id.bicep' = {
name: 'id-aks-deploy'
scope: appRg
params: {
id_n: id_n
tags: tags
}
}
// only allows rg scope
module idRoleAssignmentDeployment 'components/id/roleAssignments.bicep' = [for id_role in id_roles_arr : {
name: 'id-role-assignment-deploy-${id_role}'
scope: resourceGroup(id_scope_obj.sub, id_scope_obj.rg)
params: {
name: guid(subscription().id, env, id_role)
principalId: idDeployment.outputs.principalId
roleDefinitionId: '/subscriptions/${id_scope_obj.sub}/providers/Microsoft.Authorization/roleDefinitions/${id_role}'
}
dependsOn: [
idDeployment
]
}]
// The root resource scope must match that of the Bicep file. To deploy a resource to a different root scope, use a module.
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: 'some random unique name'
scope: vnet
properties: {
principalId: 'principalId'
roleDefinitionId: 'roleDefinitionId'
principalType: 'ServicePrincipal'
}
} |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 6 replies
-
|
This is possible... I would recommend to read over this thread of some of the complexities. Also this blog which I believe was based on some of the discussions in that thread via @JFolberth https://blog.johnfolberth.com/nested-loops-in-azure-bicep-with-an-rbac-example/ Then please share back any questions or follows up that you have here. Essentially to do a role assignment, you deploy into the Scope of the resource E.g. the resource group, So if you have 2 resource groups, you need to have a module to deploy into the scope of those resources groups Etc. Here is also an alternate less complex scenario on this than the above thread. Since it's just a single resource. |
Beta Was this translation helpful? Give feedback.
-
|
Yes that is my preferred approach as well.
module dp_Deployment_RBAC 'sub-RBAC.bicep' = if (bool(Stage.RBAC)) {
name: 'dp${Deployment}-RBAC'
params: {
// move these to Splatting later
DeploymentID: DeploymentID
DeploymentInfo: DeploymentInfo
Environment: Environment
Extensions: Extensions
Global: Global
Prefix: Prefix
Stage: Stage
}
dependsOn: [
dp_Deployment_RG
]
}Calls nested deployment/Module sub-RBAC.bicep https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC.bicep
"rolesInfo": [
{
"Name": "BW",
"RBAC": [
{
"Name": "Contributor"
},
{
"Name": "Key Vault Administrator"
},
{
"Name": "Virtual Machine Administrator Login"
},
{
"Name": "Azure Kubernetes Service RBAC Cluster Admin"
},
{
"Name": "Load Test Owner"
}
]
}module RBAC 'sub-RBAC-ALL.bicep' = [for (role, index) in rolesInfo: if (bool(Stage.RBAC)) {
name: 'dp-rbac-role-${Prefix}-${role.name}'
params: {
Deployment: deployment
Prefix: Prefix
rgName: rg
Enviro: enviro
Global: Global
roleInfo: role
providerPath: ''
namePrefix: ''
providerAPI: ''
}
}]Calls nested deployment/Module sub-RBAC-ALL.bicep https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC-ALL.bicep
module RBACRARG 'sub-RBAC-ALL-RA-RG.bicep' = [for (rbac, index) in roleAssignment: if (Enviro != 'G0' && Enviro != 'M0') {
name: replace('dp-rbac-all-ra-${roleInfo.name}-${index}','@','_')
scope: resourceGroup(rbac.DestSubscriptionID,'${rbac.DestPrefix}-${Global.OrgName}-${rbac.DestApp}-RG-${rbac.DestRG}')
params:{
description: roleInfo.name
name: rbac.GUID
roledescription: rbac.RoleName
roleDefinitionId: '${rbac.DestSubscription}/providers/Microsoft.Authorization/roleDefinitions/${rbac.RoleID}'
principalType: rbac.principalType
principalId: providerPath == 'guid' ? roleInfo.name : length(providerPath) == 0 ? rolesLookup[roleInfo.name] : /*
*/ reference('${rbac.DestSubscription}/resourceGroups/${rbac.SourceRG}/providers/${providerPath}/${Deployment}${namePrefix}${roleInfo.Name}',providerAPI).principalId
}
}]This references another nested deployment/Module e.g. sub-RBAC-ALL-RA-RG.bicep https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC-ALL-RA-RG.bicep Which actually does the role assignment within the RG.... This example is on the RG itself, however see below for a Resource Scoped Role assignement that you can call from here instead. param roleDefinitionId string
param principalId string
param principalType string
param name string
#disable-next-line no-unused-params
param description string // leave these for loggin in the portal
#disable-next-line no-unused-params
param roledescription string // leave these for loggin in the portal
resource RA 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: name
properties: {
roleDefinitionId: roleDefinitionId
principalType: principalType
principalId: principalId
}
}Here is the Resource Scoped role assignment, from the RG that your module is scoped.https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/x.RBAC-ALL.bicep param resourceId string
param Global object
param roleInfo object
param principalType string = ''
var rolesLookup = json(Global.RolesLookup)
var rolesGroupsLookup = json(Global.RolesGroupsLookup)
var roleAssignment = [for rbac in roleInfo.RBAC: {
RoleName: rbac.Name
RoleID: rolesGroupsLookup[rbac.Name].Id
principalType: principalType
GUID: guid(roleInfo.Name, rbac.Name, resourceId)
FriendlyName: 'user: ${roleInfo.Name} --> roleInfoName: ${rbac.Name} --> resourceId: ${resourceId}'
}]
module RBACRAResource 'x.RBAC-ALL-RA-Resource.bicep' = [for (rbac, index) in roleAssignment: {
name: replace('dp-rbac-all-ra-${roleInfo.name}-${index}', '@', '_')
params: {
resourceId: resourceId
description: roleInfo.name
roledescription: rbac.RoleName
name: rbac.GUID
roleDefinitionId: rbac.RoleID
principalId: rolesLookup[roleInfo.name]
principalType: rbac.principalType
}
}]
output RoleAssignments array = roleAssignmentThen final worker template that performs the Resource Scoped role assignment based on you passing in the ResourceId. |
Beta Was this translation helpful? Give feedback.
-
|
Just to add I would start with creating a single form json object that describes your role assignments, such as below then just process them through the layers.. Subscription --> Resource group --> Resource Role Assignment. {
"resourceRoleAssignments": [
{
"vnetName": "vneta",
"rgName": "rg-a",
"principalId": "9ed16e1c-f8ce-46fe-b097-81bd5947ef06",
"roleDefinitionId": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"resourceType": "Microsoft.Network/virtualNetworks"
},
{
"vnetName": "vnetb",
"rgName": "rg-b",
"principalId": "9ed16e1c-f8ce-46fe-b097-81bd5947ef06",
"roleDefinitionId": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"resourceType": "Microsoft.Network/virtualNetworks"
},
{
"vnetName": "vnetc",
"rgName": "rg-c",
"principalId": "9ed16e1c-f8ce-46fe-b097-81bd5947ef06",
"roleDefinitionId": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"resourceType": "Microsoft.Network/virtualNetworks"
}
]
} |
Beta Was this translation helpful? Give feedback.
-
|
Those are pretty cool scenarios over sub, rg and res scopes. Thanks for sharing. The last link: From where I can see that, it set the scope to a string resource ID within the roleAssignment. {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"scope": {
"type": "string"
},
"name": {
"type": "string"
},
"roleDefinitionId": {
"type": "string"
},
"principalId": {
"type": "string"
},
"principalType": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-08-01-preview",
"scope": "[parameters('scope')]",
"name": "[parameters('name')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"principalType": "[parameters('principalType')]"
}
}
],
"outputs": {
"roleAssignmentId": {
"type": "string",
"value": "[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]"
}
}
}Is it possible to achieve it from bicep, such as passing the res id within the scope as you did above. For instance: targetScope = 'subscription'
// ...
module idRoleAssignmentDeployment 'components/id/roleAssignments.bicep' = [for id_role in id_roles_arr : {
name: 'id-role-assignment-deploy-${id_role}'
scope: resourceGroup(id_scope_obj.sub, id_scope_obj.rg)
params: {
name: guid(subscription().id, env, id_role)
principalId: idDeployment.outputs.principalId
roleDefinitionId: '/subscriptions/${id_scope_obj.sub}/providers/Microsoft.Authorization/roleDefinitions/${id_role}'
}
}]components/id/roleAssignments.bicep param name string
param principalId string
param roleDefinitionId string
param res_id string
resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
name: 'vnet_n'
// scope: resourceGroup(subscription().id, 'rg_hub_n')
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: name
scope: vnet // if I uncomment the vnet res scope I get, The root resource scope must match that of the Bicep file. To deploy a resource to a different root scope, use a module.bicep(BCP139)
// scope: res_id ?
properties: {
principalId: principalId
roleDefinitionId: roleDefinitionId
principalType: 'ServicePrincipal'
}
}
|
Beta Was this translation helpful? Give feedback.
-
|
Yes, that (Bicep template file) will work perfectly for your scenario, if you only want to do role assignments for a single resource type e.g. VNET. The reason behind the JSON template is because it provides the ability to have a generic template that can take a 'resourceId' for any resource type, including things like a file share or blob container or storage account or KeyVault Etc.
|
Beta Was this translation helpful? Give feedback.
-
|
How did you go with this one @ArtiomLK ? Not a trivial process. I have been making a few udpates to those links that I shared. I am happy now that I can create a Managed Identity OR reference a User or Group, then later on assign it as a role assignment on any resource. So far I implemented assigning keyvault access or blob or file share access. However using generic modules means you can just use the following code for any resource type. var rolesInfo = contains(container, 'rolesInfo') ? container.rolesInfo : []
module RBAC 'x.RBAC-ALL.bicep' = [for (role, index) in rolesInfo: {
name: 'dp-rbac-role-${SAContainers.name}-${role.name}'
params: {
resourceId: SAContainers.id
Global: Global
roleInfo: role
Type: contains(role,'Type') ? role.Type : 'lookup'
deployment: deployment
}
}]Where the input is: "containers": [
{
"name": "adldata",
"rolesInfo": [
{
"Name": "BW",
"RBAC": [
{
"Name": "Storage Blob Data Contributor"
}
]
},
{
"Name": "SynapseDataContributor",
"Type": "UAI",
"RBAC": [
{
"Name": "Storage Blob Data Contributor"
}
]
}
]
}
] |
Beta Was this translation helpful? Give feedback.
-
|
Hi Team, |
Beta Was this translation helpful? Give feedback.
This is possible... I would recommend to read over this thread of some of the complexities.
#5678
Also this blog which I believe was based on some of the discussions in that thread via @JFolberth
https://blog.johnfolberth.com/nested-loops-in-azure-bicep-with-an-rbac-example/
Then please share back any questions or follows up that you have here.
Essentially to do a role assignment, you deploy into the Scope of the resource E.g. the resource group,
Then you use an existing reference, then you can do the role assignment at that scope of that resource.
So if you have 2 resource groups, you need to have a module to deploy into the scope of those resources groups Etc.
Here is also an alternate …