ARM: assign the writer role to the service AAD app (#109)
* ARM: assign the writer role to the service AAD app * Refactor Set-AzureAADApiPermission function not to pass the roleId as a param
This commit is contained in:
Kwangje Cho
GitHub
Родитель
86fd4f05cb
Коммит
3767ec090b
|
|
@ -10,4 +10,8 @@ serviceAppId=$serviceAppId
|
|||
clientAppId=$clientAppId
|
||||
|
||||
# ResourceGroupName to generate resources
|
||||
resourceGroupName=$resourceGroup
|
||||
resourceGroupName=$resourceGroup
|
||||
|
||||
# Role Names
|
||||
# Writer can manage flows
|
||||
writerRole=$writerRole
|
||||
|
|
@ -564,7 +564,7 @@ function Set-AzureAADAccessControl([string]$AppId) {
|
|||
$ErrorActionPreference = "stop"
|
||||
}
|
||||
|
||||
function Set-AzureAADApiPermission([string]$ServiceAppId, [string]$ClientAppId) {
|
||||
function Set-AzureAADApiPermission([string]$ServiceAppId, [string]$ClientAppId, [string]$RoleName) {
|
||||
$ErrorActionPreference = "SilentlyContinue"
|
||||
|
||||
Write-Host -ForegroundColor Yellow "Setting up App Api Permissions. This requires the subscription admin privilege. If this fails, please refer to the manual steps and ask a subscription admin"
|
||||
|
|
@ -572,6 +572,21 @@ function Set-AzureAADApiPermission([string]$ServiceAppId, [string]$ClientAppId)
|
|||
$aadCommandId = "00000002-0000-0000-c000-000000000000"
|
||||
$permissionId = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
|
||||
|
||||
if ($RoleName) {
|
||||
$appRoles = az ad app show --id $ServiceAppId --query appRoles | ConvertFrom-Json
|
||||
|
||||
$role = $appRoles | Where-Object { $_.Value -match $RoleName }
|
||||
if ($role) {
|
||||
$roleId = $role.Id
|
||||
az ad app permission add --id $ServiceAppId --api $ServiceAppId --api-permissions $roleId=Role > $null 2>&1
|
||||
az ad app permission grant --id $ServiceAppId --api $ServiceAppId --scope $roleId > $null 2>&1
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Host -ForegroundColor Red "$RoleName is not defined in the app $ServiceAppId"
|
||||
}
|
||||
}
|
||||
|
||||
az ad app permission add --id $ServiceAppId --api $aadCommandId --api-permissions $permissionId=Scope > $null 2>&1
|
||||
az ad app permission add --id $ClientAppId --api $aadCommandId --api-permissions $permissionId=Scope > $null 2>&1
|
||||
az ad app permission add --id $ClientAppId --api $ServiceAppId --api-permissions $ServiceAppPermId=Scope > $null 2>&1
|
||||
|
|
|
|||
|
|
@ -227,10 +227,13 @@ function Get-Tokens {
|
|||
}
|
||||
|
||||
# Get appRole definition
|
||||
function Create-AppRole([string] $Name, [string] $Description) {
|
||||
function Create-AppRole([string] $Name, [string] $AppName, [string] $Description) {
|
||||
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
|
||||
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
|
||||
$appRole.AllowedMemberTypes.Add("User");
|
||||
if (($Name -eq $writerRole) -and ($AppName -eq $serviceAppName)) {
|
||||
$appRole.AllowedMemberTypes.Add("Application");
|
||||
}
|
||||
$appRole.DisplayName = $Name
|
||||
$appRole.Id = New-Guid
|
||||
$appRole.IsEnabled = $true
|
||||
|
|
@ -241,8 +244,8 @@ function Create-AppRole([string] $Name, [string] $Description) {
|
|||
|
||||
# Add appRoles to AAD app
|
||||
function Set-AzureAADAppRoles([string]$AppName) {
|
||||
$role_r = Create-AppRole -Name $readerRole -Description $readerRole + " have ability to view flows"
|
||||
$role_w = Create-AppRole -Name $writerRole -Description $writerRole + " can manage flows"
|
||||
$role_r = Create-AppRole -Name $readerRole -AppName $AppName -Description $readerRole + " have ability to view flows"
|
||||
$role_w = Create-AppRole -Name $writerRole -AppName $AppName -Description $writerRole + " can manage flows"
|
||||
$roles = @($role_r, $role_W)
|
||||
|
||||
$app = Get-AzureADApplication -Filter "DisplayName eq '$AppName'"
|
||||
|
|
@ -850,14 +853,14 @@ Set-AzureAADAppCert -AppName $serviceAppName
|
|||
$azureADAppSecretValue = $azureADAppSecret.Value
|
||||
$azureADAppSecretConfiggenValue = $azureADAppSecretConfiggen.Value
|
||||
|
||||
Set-AzureAADAccessControl -AppId $azureADApplicationConfiggenApplicationId
|
||||
Set-AzureAADApiPermission -ServiceAppId $azureADApplicationConfiggenApplicationId -ClientAppId $azureADApplicationApplicationId
|
||||
|
||||
Set-AzureAADAppRoles -AppName $clientAppName
|
||||
Set-AzureAADAppRoles -AppName $serviceAppName
|
||||
Add-UserAppRole -AppName $clientAppName
|
||||
Add-UserAppRole -AppName $serviceAppName
|
||||
|
||||
Set-AzureAADAccessControl -AppId $azureADApplicationConfiggenApplicationId
|
||||
Set-AzureAADApiPermission -ServiceAppId $azureADApplicationConfiggenApplicationId -ClientAppId $azureADApplicationApplicationId -RoleName $writerRole
|
||||
|
||||
if($serviceFabricCreation -eq 'y') {
|
||||
Write-Host -ForegroundColor Green "Deploying resources (4/16 steps): A Service fabric cluster will be deployed"
|
||||
Write-Host -ForegroundColor Green "Estimated time to complete: 20 mins"
|
||||
|
|
|
|||
|
|
@ -41,6 +41,6 @@ Write-Host "Signing in '$tenantId'"
|
|||
az login --tenant $tenantId
|
||||
|
||||
Set-AzureAADAccessControl -AppId $serviceAppId
|
||||
Set-AzureAADApiPermission -ServiceAppId $serviceAppId -ClientAppId $clientAppId
|
||||
Set-AzureAADApiPermission -ServiceAppId $serviceAppId -ClientAppId $clientAppId -RoleName $writerRole
|
||||
|
||||
Exit 0
|
||||
Загрузка…
Ссылка в новой задаче