Adding subscription scope RBAC

docs/oidc-federated-credentials.md

@@ -7,7 +7,7 @@ Please follow [this guide](https://docs.microsoft.com/azure/developer/github/con
 
 This repository uses a script to provide a simple way to create a GitHub OIDC federated credential, it is based on the steps outlined here: [https://docs.microsoft.com/azure/developer/github/connect-from-azure](https://docs.microsoft.com/azure/developer/github/connect-from-azure).
 
-The script will create a new application, assign the correct Azure RBAC permissions for the Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.
+The script will create a new application, assign the correct Azure RBAC permissions for the Subscription **OR** Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.
 
 ```bash
 #Set up user specific variables
@@ -25,9 +25,14 @@ applicationObjectId=$(echo $APP | jq -r ".objectId")
 SP=$(az ad sp create --id $appId)
 assigneeObjectId=$(echo $SP | jq -r ".objectId"); echo $assigneeObjectId
 
-#Create Role Assignment (Azure RG RBAC)
-az role assignment create --role Owner --resource-group $RG  --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal
-az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG  --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal
+#Create Role Assignments (Azure Subscription RBAC)
+subscriptionId=$(az account show --query id -o tsv)
+az role assignment create --role Owner --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+
+#Create Role Assignments (Azure Resource Group RBAC)
+az role assignment create --role Owner --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal
 
 #Create federated identity credentials for use from a GitHub Branch
 fedReqUrl="https://graph.microsoft.com/beta/applications/$applicationObjectId/federatedIdentityCredentials"
@@ -48,7 +53,6 @@ echo $fedReqBody | jq -r
 az rest --method POST --uri $fedReqUrl --body "$fedReqBody"
 
 #Retrieving values needed for GitHub secret creation
-subscriptionId=$(az account show --query id -o tsv)
 clientId=$appId
 tenantId=$(az account show --query tenantId -o tsv)