TechQA.

How to automate Azure App Configuration role assignment in Azure DevOps classic release pipelines?

71 views Asked by At

We have a classic Azure Release pipeline for our web service. Recently we added Azure App Configuration to the service. As part of our pipeline, we run a PowerShell script to automatically assign an Azure KeyVault role to the managed identity of the app:

param (
   [string][Parameter(Mandatory=$true)]$resourceGroupName,
   [string]$keyVaultName
)

$lastDeployment = Get-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName | Sort Timestamp -Descending | Select -First 1 

if(!$lastDeployment) {
    throw "Deployment could not be found for Resource Group '$resourceGroupName'."
}

if(!$lastDeployment.Outputs) {
    throw "No output parameters could be found for the last deployment of Resource Group '$resourceGroupName'."
}

$servicePrincipalName = $lastDeployment.Outputs.Item("appname").Value
Write-host $servicePrincipalName
$servicePrincipalId = $(Get-AzureRmADServicePrincipal -DisplayName $servicePrincipalName).Id
Write-host $servicePrincipalId
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $servicePrincipalId -PermissionsToSecrets List,Get -BypassObjectIdValidation

How do we do the same for App Configuration to give Data Reader role to the last deployed app in the pipeline?

azure azure-devops azure-rbac azure-app-configuration
Original Q&A
1

There are 1 answers

0
Kevin Lu-MSFT On BEST ANSWER

Based on your current PowerShell script sample, you are setting the permissions for the Service Principal.

How do we do the same for App Configuration to give Data Reader role to the last deployed app in the pipeline?

To meet your requirement, you can use the following PowerShell script to grant the App Configuration Data Reader role to the Service Principal.

New-AzRoleAssignment  -ApplicationId appid -RoleDefinitionName "App Configuration Data Reader" -ResourceName  /subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}/providers/Microsoft.AppConfiguration/configurationStores/{yourappconfigurationname}

PowerShell script example:

param (
   [string][Parameter(Mandatory=$true)]$resourceGroupName,
   [string]$appconfigname
)

$lastDeployment = Get-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName | Sort Timestamp -Descending | Select -First 1 

if(!$lastDeployment) {
    throw "Deployment could not be found for Resource Group '$resourceGroupName'."
}

if(!$lastDeployment.Outputs) {
    throw "No output parameters could be found for the last deployment of Resource Group '$resourceGroupName'."
}

$servicePrincipalName = $lastDeployment.Outputs.Item("appname").Value
Write-host $servicePrincipalName
$servicePrincipalAppId = $(Get-AzureRmADServicePrincipal -DisplayName $servicePrincipalName).AppId
Write-host $servicePrincipalAppId
New-AzRoleAssignment  -ApplicationId $servicePrincipalAppId -RoleDefinitionName "App Configuration Data Reader" -ResourceName  /subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}/providers/Microsoft.AppConfiguration/configurationStores/{yourappconfigurationname}

For more detailed info, you can refer to this ticket and the doc: New-AzRoleAssignment

Related Questions in AZURE

Related Questions in AZURE-DEVOPS

Related Questions in AZURE-RBAC

Related Questions in AZURE-APP-CONFIGURATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions