Home > Blockchain >  Assign Data Reader Role between App Confiugration and App Service in Azure
Assign Data Reader Role between App Confiugration and App Service in Azure

Time:09-09

i would like to do this steps App Configuration -> Access control (IAM) -> Add role assigment -> App Configuration Data Reader -> Assign access to Managed identity -> Select Members (choose my app service) -> Save but instead of using Azure Portal for that, I wanted to use ARM/Bicep template, I tried something like this:

targetScope = 'resourceGroup'

param principalId string = 'x-x-x-x-x-x-x-x-x'
param roleDefinitionId string = 'x-x-x-x-x-x'

var roleAssignmentName = guid('/', principalId, roleDefinitionId)

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-03-01-preview' = {
  name: roleAssignmentName
  properties: {
    roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    principalId: principalId
  }
}

But there are 2 problems with this solutions. Firstly, I am using this targetScope = resourceGroup which creates this Role inside RG, and then my App Confiugration just inherit it from RG. Probably, the proper solution would be to provide App Configuration name somewhere, so it would be used instead of scoping it to Resource Group.

Also, hard-coding principalId and roleDefinitionId like this feels pretty bad, but f.e I can't access principalID of my Web App by doing something like this:

resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
  name: 'myUniqueWebAppName'
}
param principalId string = webApp.identity.principalId

as it says that This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values. Also, I don't know how to access roleDefinitionId, I know where to find it in Azure Portal, but no idea how to access it without hard-coding.

CodePudding user response:

Few things :

  • You can specify the scope fo the roleAssignment using the scope property.
  • Role Id won't change so hardcoding roleId is not really an issue, you could alway pass it as a parameter as well.
  • If you create a module to do the role assignment, you would be able to inject the webapp principalId

you can create a module like that:

// app-configuration-role-assignment.bicep

param appConfigurationName string
param principalId string
param roleId string

// Get a reference to app config
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2022-05-01' existing = {
  name: appConfigurationName
}

// Grant permission
resource appConfigurationRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(appConfiguration.id, roleId, principalId)
  scope: appConfiguration
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
  }
}

Then from your main you could invoke it and pass the webapp principalId:

// main.bicep

param appConfigurationName string
param webAppName string

// get a reference to webapp
resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
  name: webAppName
}

module roleAssignment 'app-configuration-role-assignment.bicep' = {
  name: 'app-configuration-role-assignment-to-webapp'
  scope: resourceGroup()
  params: {
    appConfigurationName: appConfigurationName
    principalId: webApp.identity.principalId
    roleId: '516239f1-63e1-4d78-a4de-a74fb236a071' // App Configuration Data Reader
  }
}

Page link:https//www.codepudding.com/Blockchain/538585.html

Prev:How to pass complex values to Body of a HTTPRequest in a POST method
Next:Combining Multiple Value Json Payload using Azure APIM policies
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding