search

azsk / DevOpsKit-docs

MIT License
496 stars 208 forks source link

Assign PIM role to the service connection #428

Closed lipalath-ms closed 1 year ago

lipalath-ms commented 1 year ago

The issue is regarding https://github.com/azsk/DevOpsKit-docs/blob/master/01-Subscription-Security/Readme.md#use-set-azskpimconfiguration-alias-setpim-for-configuringchanging-pim-settings-at-management-group-level

I'm running this PowerShell command:

  Set-AzSKPIMConfiguration -AssignRole `
        -SubscriptionId <SubscriptionId> `
        -ResourceGroupName <ResourceGroupName>" `
        -DurationInDays 90 `
        -RoleName RoleName  `
        -PrincipalName <service-connection> `
        -AssignmentType Eligible `
        -DoNotOpenOutputFolder

On running this, I see the following error:

Running AzSK cmdlet using a generic (org-neutral) policy...
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Exception calling "Authenticate" with "7" argument(s): "'authority' Uri should have at least one segment in the path (i.e. https://<host>/<path>/...) (Parameter 'authority')"
Unable to determine target data center for tenant
Unable to find resource on which assignment was requested. Either the resource does not exist or you may not have permissions for assigning a role on it.

Is it not possible to assign PIM role to service connection?

v-rahkuma commented 1 year ago

Hi @ilantom ,

PIM eligible assignments cannot be assigned to service connection.

Additionally, AzSK was sunset around June 2021 and not actively maintained now but all PIM helper commands are working and you can still use those for PIM role activation.

There are some other modules released by PG team which you can explore further for PIM related operations:

  1. AzureADPreview This module is still in preview but contains commands like Open-AzureADMSPrivilegedRoleAssignmentRequest which can help for PIM role activation. You can find more about this module here.

  2. Az.Resources In the latest version 6.0.0, team has introduced few funtions like New-AzRoleAssignmentScheduleRequest which can help for PIM role activation. You can find more details about this module here.

Please let us know in case you have any further questions.

Thank you

v-rahkuma commented 1 year ago

Hi @ilantom ,

Please let us know if you need any additional information, closing this ticket for now. Thanks