anwather
commented
5 months ago Will wait to hear others thoughts but this would require us having to query and modify group memberships in Entra which means extra permissions. I'd like to check if we have any other customers seeking this functionality as it's something I've seen.
At this stage I can't see adding this as a feature.
Remember as well with user assigned identities we don't handle permissions.
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Rob Sissons @.> Sent: Wednesday, June 26, 2024 8:17:26 pm To: Azure/enterprise-azure-policy-as-code @.> Cc: Subscribed @.***> Subject: [Azure/enterprise-azure-policy-as-code] Handle role assignments when managed identity is a member of a group (Issue #693)
Our client has a large number of custom policies with modify/deployIfNotExists which require managed identities to have role assignments made at various scopes. The customer would like to consolidate these assignments by adding the managed identities to an Entra group to reduce the number of assignments propagated through the management group structure.
Currently this means that when EPAC runs a build it is not aware of the objects having the required role assignments and as such wants to "re-"create each role assignment.
Describe the solution you'd like Ideally, the client would like EPAC to understand that the identities do have the required permissions through the above mentioned group membership, and as such skip the role assignment being recreated.
Ideally, there would also be an option to define the Entra Group which the identity should be a member of in the assignment JSON so that EPAC can add the identity to the group instead of making a direct role assignment.
Describe alternatives you've considered One option we have proposed to the client is to have a dedicated user identity with the required role assigned at the relevant scope and have this identity attached to each policy assignment which requires these permissions. The client is reviewing this option but would also like to understand if the above request will be available in the future.
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/693 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVQIY7LAM76V7LS64GTZJKIK5BFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEMZXGQ4TGOBWHA2KO5DSNFTWOZLSUZRXEZLBORSQ. You are receiving this email because you are subscribed to this thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Our client has a large number of custom policies with modify/deployIfNotExists which require managed identities to have role assignments made at various scopes. The customer would like to consolidate these assignments by adding the managed identities to an Entra group to reduce the number of assignments propagated through the management group structure.
Currently this means that when EPAC runs a build it is not aware of the objects having the required role assignments and as such wants to "re-"create each role assignment.
Describe the solution you'd like Ideally, the client would like EPAC to understand that the identities do have the required permissions through the above mentioned group membership, and as such skip the role assignment being recreated.
Ideally, there would also be an option to define the Entra Group which the identity should be a member of in the assignment JSON so that EPAC can add the identity to the group instead of making a direct role assignment.
Describe alternatives you've considered One option we have proposed to the client is to have a dedicated user identity with the required role assigned at the relevant scope and have this identity attached to each policy assignment which requires these permissions. The client is reviewing this option but would also like to understand if the above request will be available in the future.