github.com/Azure/aad-pod-identity@v1.8.17/hack/role-assignment.sh

github.com/Azure/aad-pod-identity@v1.8.17/hack/role-assignment.sh (about)

     1  #!/bin/bash
     2  
     3  set -o errexit
     4  set -o nounset
     5  set -o pipefail
     6  
     7  [[ ! -z "${SUBSCRIPTION_ID:-}" ]] || (echo 'Must specify SUBSCRIPTION_ID' && exit 1)
     8  [[ ! -z "${RESOURCE_GROUP:-}" ]] || (echo 'Must specify RESOURCE_GROUP' && exit 1)
     9  [[ ! -z "${CLUSTER_NAME:-}" ]] || (echo 'Must specify CLUSTER_NAME' && exit 1)
    10  
    11  if ! az account set -s "${SUBSCRIPTION_ID}"; then
    12    echo "az login as a user and set the appropriate subscription ID"
    13    az login
    14    az account set -s "${SUBSCRIPTION_ID}"
    15  fi
    16  
    17  if [[ -z "${NODE_RESOURCE_GROUP:-}" ]]; then
    18    echo "Retrieving your node resource group"
    19    NODE_RESOURCE_GROUP="$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query nodeResourceGroup -otsv)"
    20  fi
    21  
    22  echo "Retrieving your cluster identity ID, which will be used for role assignment"
    23  ID="$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query servicePrincipalProfile.clientId -otsv)"
    24  
    25  echo "Checking if the aks cluster is using managed identity"
    26  if [[ "${ID:-}" == "msi" ]]; then
    27    ID="$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query identityProfile.kubeletidentity.clientId -otsv)"
    28  fi
    29  
    30  echo "Assigning 'Managed Identity Operator' role to ${ID}"
    31  az role assignment create --role "Managed Identity Operator" --assignee "${ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${NODE_RESOURCE_GROUP}"
    32  
    33  echo "Assigning 'Virtual Machine Contributor' role to ${ID}"
    34  az role assignment create --role "Virtual Machine Contributor" --assignee "${ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${NODE_RESOURCE_GROUP}"
    35  
    36  # your resource group that is used to store your user-assigned identities
    37  # assuming it is within the same subscription as your AKS node resource group
    38  if [[ -n "${IDENTITY_RESOURCE_GROUP:-}" ]]; then
    39    echo "Assigning 'Managed Identity Operator' role to ${ID} with ${IDENTITY_RESOURCE_GROUP} resource group scope"
    40    az role assignment create --role "Managed Identity Operator" --assignee "${ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${IDENTITY_RESOURCE_GROUP}"
    41  fi