How can I give a service principal access to assign a role to a resource it created?
Here's the scenario.
I...
- Created an Azure DevOps pipeline
- Created a Service Connection (which creates a service principal and grants it
Contributor
access to the entire subscription). - Created a pipeline task
AzureCLI@1
using the service connection - Executed
az group create …
- SUCCESS - made a resource group! - Executed
az group deployment create …
- SUCCESS - deployed some stuff!- ^-- (Unless I do any role assignments as part of my ARM template)
- Executed
az role assignment create …
- FAILURE
ERROR: Insufficient privileges to complete the operation.
I tried making the service principal Owner
instead of Contributor
. No difference.
This made me understand (kinda) why: Azure Service principal insufficient permissions to manage other service principals
Which lead me here: https://learn.microsoft.com/en-ca/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#failed-to-assign-contributor-role
But I'm a little stuck. I think I'm supposed to grant my service principal some sort of role within active directory so that it's allowed to manage role assignments.
I found this: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-delegate-by-task#roles-and-administrators
Based on that, it seems I should give my service principal Privileged role administrator
access. scary.
Then I found this: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Because I wanted to limit this service principal to only be able to flex the active directory powers within a single subscription, which seems to be possible in the AssignableScopes
property.
But two things are giving me pause, which brings me here.
1) I'm relatively unfamiliar with what I'm doing, and I'm tossing around big scary terms like Administrator
shudder. Time to consult some experts!
2) This seems complex. The task I'm performing seems like it should not be complex. I'm just trying to deploy AKS and a Container Registry in an Azure Pipeline and give AKS access to the registry. Which is what all the docs say to do (albeit at the commandline, not in a pipeline).
So, should I really be creating a custom role just for the subscription which gives Privileged role administrator
type privileges assignable only to the subscription, then granting my service principal that role?
Or... How do I do this?
EDIT:
I did try creating a custom role with action Microsoft.Authorization/write
. It failed with this error: 'Microsoft.Authorization/write' does not match any of the actions supported by the providers.
But I succeeded in creating one with action Microsoft.Authorization/*/write
as well as Microsoft.Authorization/*
My .json definition looks like:
{
"Name": "...", "Description": "...", "IsCustom": true,
"Actions": [ "Microsoft.Authorization/*" ],
"AssignableScopes": [
"/subscriptions/[subscriptionid]"
]
}
After assigning the role to the service principal, it still failed with insufficient access. I logged in locally via az login --service-principal
, tried to use my new powers, and got this message:
The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/.../Microsoft.Authorization/read' over scope '/subscriptions/.../resourceGroups/.../.../providers/Microsoft.Authorization/roleDefinitions' or the scope is invalid. If access was recently granted, please refresh your credentials.
EDIT: SOLUTION
{
"Name": "...", "Description": "...", "IsCustom": true,
"Actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/[subscriptionid]"
]
}
This works with az role definition create
.
The service principal also needs to be a Directory Reader, unless you specify the role assignment by object-id. Azure Active Directory: Add Service Principal to Directory Readers Role with PowerShell
It can be assigned to the service principal, and when executing az
commands as that service principal, it succeeds in creating role assignments.