Remove contributer role from CS Managed Identity

Only have permissions to create tokens, contributer is to broad
Azure · Nov 12, 2024 · 56189ad · 56189ad
1 parent 07deb79
commit 56189ad
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 14 deletions.
diff --git a/dev-infrastructure/modules/acr-permissions.bicep b/dev-infrastructure/modules/acr-permissions.bicep
@@ -4,10 +4,10 @@ param principalId string
 @description('Whether to grant push access to the ACR')
 param grantPushAccess bool = false
 
-@description('Whether to grant contributor access to the ACR')
-param grantContributorAccess bool = false
+@description('Whether to grant manage token access to the ACR')
+param grantManageTokenAccess bool = true
 
-@description('ACR Namespace Resource Group Name')
+@description('ACR Namespace Resource Group Id')
 param acrResourceGroupid string
 
 var acrPullRoleDefinitionId = subscriptionResourceId(
@@ -25,11 +25,6 @@ var acrDeleteRoleDefinitionId = subscriptionResourceId(
   'c2f4ef07-c644-48eb-af81-4b1b4947fb11'
 )
 
-var contributorRoleDefinitionId = subscriptionResourceId(
-  'Microsoft.Authorization/roleDefinitions/',
-  'b24988ac-6180-42a0-ab88-20f7382dd24c'
-)
-
 resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) {
   name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId)
   properties: {
@@ -57,10 +52,33 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantContributorAccess) {
-  name: guid(acrResourceGroupid, principalId, contributorRoleDefinitionId)
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (grantManageTokenAccess) {
+  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
+  properties: {
+    assignableScopes: [
+      subscription().id
+      acrResourceGroupid
+    ]
+    description: 'This role allows the management of tokens in the ACR'
+    permissions: [
+      {
+        actions: [
+          'Microsoft.ContainerRegistry/registries/tokens/read'
+          'Microsoft.ContainerRegistry/registries/tokens/write'
+          'Microsoft.ContainerRegistry/registries/tokens/delete'
+          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
+          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
+         ]
+      }
+    ]
+    roleName: 'ACR Manage Tokens'
+  }
+}
+
+resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
+  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
   properties: {
-    roleDefinitionId: contributorRoleDefinitionId
+    roleDefinitionId: tokenManagementRole.id
     principalId: principalId
     principalType: 'ServicePrincipal'
   }

diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -366,13 +366,13 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20
   }
 ]
 
-module acrContributorRole '../modules/acr-permissions.bicep' = [
+module acrManageTokenRole '../modules/acr-permissions.bicep' = [
   for (_, i) in clustersServiceAcrResourceGroupNames: {
-    name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'contributor')
+    name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens')
     scope: clustersServiceAcrResourceGroups[i]
     params: {
       principalId: csManagedIdentityPrincipalId
-      grantContributorAccess: true
+      grantManageTokenAccess: true
       acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
     }
   }