github.com/Azure/aad-pod-identity@v1.8.17/.pipelines/templates/role-assignment.yml

github.com/Azure/aad-pod-identity@v1.8.17/.pipelines/templates/role-assignment.yml (about)

     1  parameters:
     2    - name: resource_group
     3      type: string
     4      default: $(RESOURCE_GROUP)
     5    - name: identity_resource_group
     6      type: string
     7      default: ""
     8    - name: node_resource_group
     9      type: string
    10      default: $(NODE_RESOURCE_GROUP)
    11    - name: acr_resource_group
    12      type: string
    13      default: k8sbuildci
    14    - name: subscription_id
    15      type: string
    16      default: $(SUBSCRIPTION_ID)
    17    - name: registry_name
    18      type: string
    19      default: $(REGISTRY_NAME)
    20    - name: keyvault_name
    21      type: string
    22      default: $(KEYVAULT_NAME)
    23    - name: keyvault_resource_group
    24      type: string
    25      default: ""
    26  
    27  steps:
    28    - script: |
    29        ASSIGNEE_OBJECT_ID="$(az identity show -g ${{ parameters.node_resource_group }} -n ${{ parameters.resource_group }}-agentpool --query principalId -otsv)"
    30        echo "##vso[task.setvariable variable=ASSIGNEE_OBJECT_ID]${ASSIGNEE_OBJECT_ID}"
    31  
    32        ROLE_ASSIGNMENT_IDS=""
    33  
    34        az role assignment create --assignee-object-id "${ASSIGNEE_OBJECT_ID}" --role "Virtual Machine Contributor" --scope "/subscriptions/${{ parameters.subscription_id }}/resourcegroups/${{ parameters.node_resource_group }}"
    35        az role assignment create --assignee-object-id "${ASSIGNEE_OBJECT_ID}" --role "Managed Identity Operator" --scope "/subscriptions/${{ parameters.subscription_id }}/resourcegroups/${{ parameters.node_resource_group }}"
    36  
    37        if [[ -n "${{ parameters.keyvault_resource_group }}" ]]; then
    38          ID="$(az role assignment create --assignee-object-id "${ASSIGNEE_OBJECT_ID}" --role "Reader" --scope "/subscriptions/${{ parameters.subscription_id }}/resourcegroups/${{ parameters.keyvault_resource_group }}/providers/Microsoft.KeyVault/vaults/${{ parameters.keyvault_name }}" --query id -otsv)"
    39          ROLE_ASSIGNMENT_IDS+="${ID} "
    40          az keyvault set-policy -n ${{ parameters.keyvault_name }} --secret-permissions get --object-id "${ASSIGNEE_OBJECT_ID}"
    41        fi
    42  
    43        if [[ -n "${{ parameters.identity_resource_group }}" ]]; then
    44          ID="$(az role assignment create --assignee-object-id "${ASSIGNEE_OBJECT_ID}" --role "Managed Identity Operator" --scope "/subscriptions/${{ parameters.subscription_id }}/resourcegroups/${{ parameters.identity_resource_group }}" --query id -otsv)"
    45          ROLE_ASSIGNMENT_IDS+="${ID} "
    46        fi
    47  
    48        if [[ -n "${{ parameters.registry_name }}" ]]; then
    49          ID="$(az role assignment create --assignee-object-id "${ASSIGNEE_OBJECT_ID}" --role "AcrPull" --scope "/subscriptions/$(SUBSCRIPTION_ID)/resourceGroups/${{ parameters.acr_resource_group }}/providers/Microsoft.ContainerRegistry/registries/${{ parameters.registry_name }}" --query id -otsv)"
    50          ROLE_ASSIGNMENT_IDS+="${ID} "
    51        fi
    52        echo "##vso[task.setvariable variable=ROLE_ASSIGNMENT_IDS]${ROLE_ASSIGNMENT_IDS}"
    53      displayName: "Add role assignment"