Adding subscription scope RBAC
This commit is contained in:
Gordon Byers
GitHub
Родитель
36ef7d365f
Коммит
066a93ae16
|
|
@ -7,7 +7,7 @@ Please follow [this guide](https://docs.microsoft.com/azure/developer/github/con
|
||||||
|
|
||||||
This repository uses a script to provide a simple way to create a GitHub OIDC federated credential, it is based on the steps outlined here: [https://docs.microsoft.com/azure/developer/github/connect-from-azure](https://docs.microsoft.com/azure/developer/github/connect-from-azure).
|
This repository uses a script to provide a simple way to create a GitHub OIDC federated credential, it is based on the steps outlined here: [https://docs.microsoft.com/azure/developer/github/connect-from-azure](https://docs.microsoft.com/azure/developer/github/connect-from-azure).
|
||||||
|
|
||||||
The script will create a new application, assign the correct Azure RBAC permissions for the Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.
|
The script will create a new application, assign the correct Azure RBAC permissions for the Subscription **OR** Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
#Set up user specific variables
|
#Set up user specific variables
|
||||||
|
|
@ -25,9 +25,14 @@ applicationObjectId=$(echo $APP | jq -r ".objectId")
|
||||||
SP=$(az ad sp create --id $appId)
|
SP=$(az ad sp create --id $appId)
|
||||||
assigneeObjectId=$(echo $SP | jq -r ".objectId"); echo $assigneeObjectId
|
assigneeObjectId=$(echo $SP | jq -r ".objectId"); echo $assigneeObjectId
|
||||||
|
|
||||||
#Create Role Assignment (Azure RG RBAC)
|
#Create Role Assignments (Azure Subscription RBAC)
|
||||||
az role assignment create --role Owner --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
subscriptionId=$(az account show --query id -o tsv)
|
||||||
az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
az role assignment create --role Owner --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
||||||
|
az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
||||||
|
|
||||||
|
#Create Role Assignments (Azure Resource Group RBAC)
|
||||||
|
az role assignment create --role Owner --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
||||||
|
az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
|
||||||
|
|
||||||
#Create federated identity credentials for use from a GitHub Branch
|
#Create federated identity credentials for use from a GitHub Branch
|
||||||
fedReqUrl="https://graph.microsoft.com/beta/applications/$applicationObjectId/federatedIdentityCredentials"
|
fedReqUrl="https://graph.microsoft.com/beta/applications/$applicationObjectId/federatedIdentityCredentials"
|
||||||
|
|
@ -48,7 +53,6 @@ echo $fedReqBody | jq -r
|
||||||
az rest --method POST --uri $fedReqUrl --body "$fedReqBody"
|
az rest --method POST --uri $fedReqUrl --body "$fedReqBody"
|
||||||
|
|
||||||
#Retrieving values needed for GitHub secret creation
|
#Retrieving values needed for GitHub secret creation
|
||||||
subscriptionId=$(az account show --query id -o tsv)
|
|
||||||
clientId=$appId
|
clientId=$appId
|
||||||
tenantId=$(az account show --query tenantId -o tsv)
|
tenantId=$(az account show --query tenantId -o tsv)
|
||||||
|
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче