From bcba7ed90b85037e9a1f25f244669d5c140e8331 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Tue, 12 Nov 2024 13:53:18 +0100 Subject: [PATCH] Remove contributer role from CS Managed Identity Only have permissions to create tokens, contributer is to broad --- .../modules/acr-permissions.bicep | 40 ++++++++++++++----- .../templates/svc-cluster.bicep | 6 +-- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/dev-infrastructure/modules/acr-permissions.bicep b/dev-infrastructure/modules/acr-permissions.bicep index fa00b03bc..fea621d5f 100644 --- a/dev-infrastructure/modules/acr-permissions.bicep +++ b/dev-infrastructure/modules/acr-permissions.bicep @@ -4,10 +4,10 @@ param principalId string @description('Whether to grant push access to the ACR') param grantPushAccess bool = false -@description('Whether to grant contributor access to the ACR') -param grantContributorAccess bool = false +@description('Whether to grant manage token access to the ACR') +param grantManageTokenAccess bool = true -@description('ACR Namespace Resource Group Name') +@description('ACR Namespace Resource Group Id') param acrResourceGroupid string var acrPullRoleDefinitionId = subscriptionResourceId( @@ -25,11 +25,6 @@ var acrDeleteRoleDefinitionId = subscriptionResourceId( 'c2f4ef07-c644-48eb-af81-4b1b4947fb11' ) -var contributorRoleDefinitionId = subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions/', - 'b24988ac-6180-42a0-ab88-20f7382dd24c' -) - resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) { name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId) properties: { @@ -57,10 +52,33 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if } } -resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantContributorAccess) { - name: guid(acrResourceGroupid, principalId, contributorRoleDefinitionId) +resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (grantManageTokenAccess) { + name: guid(acrResourceGroupid, principalId, 'token-creation-role') + properties: { + assignableScopes: [ + subscription().id + acrResourceGroupid + ] + description: 'This role allows the management of tokens in the ACR' + permissions: [ + { + actions: [ + 'Microsoft.ContainerRegistry/registries/tokens/read' + 'Microsoft.ContainerRegistry/registries/tokens/write' + 'Microsoft.ContainerRegistry/registries/tokens/delete' + 'Microsoft.ContainerRegistry/registries/generateCredentials/action' + 'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read' + ] + } + ] + roleName: 'ACR Manage Tokens' + } +} + +resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) { + name: guid(acrResourceGroupid, principalId, 'token-creation-role') properties: { - roleDefinitionId: contributorRoleDefinitionId + roleDefinitionId: tokenManagementRole.id principalId: principalId principalType: 'ServicePrincipal' } diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 7f34a0f51..b66bcb422 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -366,13 +366,13 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20 } ] -module acrContributorRole '../modules/acr-permissions.bicep' = [ +module acrManageTokenRole '../modules/acr-permissions.bicep' = [ for (_, i) in clustersServiceAcrResourceGroupNames: { - name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'contributor') + name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') scope: clustersServiceAcrResourceGroups[i] params: { principalId: csManagedIdentityPrincipalId - grantContributorAccess: true + grantManageTokenAccess: true acrResourceGroupid: clustersServiceAcrResourceGroups[i].id } }