search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
776 stars 202 forks source link

Improvement: support for the friendly names of the builtin roles #3642

Open t3mi opened 11 months ago

t3mi commented 11 months ago

Describe the current behavior Currently, RoleAssignment resource requires full armId value for the role which is big and unfriendly and requires subscriptionId to be present.

Describe the improvement Please add in addition support for a friendly name of the builtin role so that instead of this

apiVersion: authorization.azure.com/v1api20200801preview
kind: RoleAssignment
metadata:
  name: aso-sample-contributor
  namespace: default
spec:
  ...
  roleDefinitionReference:
    # This ARM ID represents "Contributor" - you can read about other built in roles here: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
    armId: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c

user could use name of the role like this

apiVersion: authorization.azure.com/v1api20200801preview
kind: RoleAssignment
metadata:
  name: aso-sample-contributor
  namespace: default
spec:
  ...
  roleDefinitionReference:
    armName: Contributor
theunrepentantgeek commented 11 months ago

Good suggestion.

(Leaving needs-triage so that we discuss this when we resume our weekly sync in the new year.)

matthchr commented 3 months ago

We're still interested in doing this. We would be open to contributions. I would be curious how BICEP/ARM templates or something like the CLI does this.

Is it just a magical list of well-known names hardcoded, or is there some API to call?

theunrepentantgeek commented 2 months ago

There's a REST API to call - https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01, which returns a list of roles like this:

    {
      "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "properties": {
        "assignableScopes": [
          "/"
        ],
        "createdBy": null,
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "dataActions": [],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete",
              "Microsoft.Compute/galleries/share/action",
              "Microsoft.Purview/consents/write",
              "Microsoft.Purview/consents/delete",
              "Microsoft.Resources/deploymentStacks/manageDenySetting/action"
            ],
            "notDataActions": []
          }
        ],
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "updatedBy": null,
        "updatedOn": "2024-05-15T21:41:09.7999413Z"
      },
      "type": "Microsoft.Authorization/roleDefinitions"
    },

Note how it's flagged as BuiltInRole. There are 703 built in roles šŸ˜®

I'm wondering if we could use the new operatorSpec support to enable lookup of these "on the fly", giving a result like this:

apiVersion: authorization.azure.com/v1api20200801preview
kind: RoleAssignment
metadata:
  name: aso-sample-contributor
  namespace: default
spec:
  ...
  operatorSpec:
    builtInRole: Contributor