Skip to content

Roles used for managed identities in AKS templates should be scoped down #214

New issue
New issue
Open
Open
Roles used for managed identities in AKS templates should be scoped down#214
@tmacam

Description

@tmacam
tmacam
opened on Nov 9, 2023

In https://github.com/dapr/test-infra/blob/master/deploy/aks/monitoring/monitoring.bicep#L47-L55 we have the following:

resource grafanaRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  name: '22926164-76b3-42b3-bc55-97df8dab3e41'
  scope: subscription()
}

resource amwRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  name: 'b0d8363b-8ddd-447d-831f-62ca05bff136'
  scope: subscription()
}

This means that in order to deploy this bicep template you need permissions that grant you rights to create subscription-level roles. This is too broad, specially considering that the usage of these roles is scoped down to a single resource group / cluster.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions