use managed identity reader access for scaleset configs (#1060)

2025-06-18 20:58:06 +00:00 · 2021-07-13 13:20:50 -04:00
parent 7a7ded6b7e
commit 39beb1591c
4 changed files with 80 additions and 45 deletions
--- a/src/deployment/azuredeploy.json
+++ b/src/deployment/azuredeploy.json
@ -66,6 +66,7 @@
        "Network Contributor": "4d97b98b-1d4f-4787-a291-c67834d212e7",
        "Storage Account Contributor": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
        "Virtual Machine Contributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "Storage Blob Data Reader": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
        "keyVaultName": "[concat('of-kv-', uniquestring(resourceGroup().id))]"
    },
    "functions": [
@ -744,6 +745,21 @@
                "OWNER": "[parameters('owner')]"
            }
        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2018-07-01",
+            "name": "[guid(concat(resourceGroup().id, '-user_managed_idenity_read_blob'))]",
+            "properties": {
+                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', variables('Storage Blob Data Reader'))]",
+                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('scaleset_identity')), '2018-11-30', 'Full').properties.principalId]"
+            },
+            "DependsOn": [
+                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountNameFunc'))]"
+            ],
+            "tags": {
+                "OWNER": "[parameters('owner')]"
+            }
+        },
        {
            "type": "Microsoft.SignalRService/SignalR",
            "apiVersion": "2018-10-01",