Grant Cluster Service access to MGMT Key Vautls #867
Conversation
janboll
requested review from
bennerv,
geoberle,
weinong,
whober0521,
tony-schndr,
jmelis,
jonathan34c,
niontive,
nwnt,
SudoBrendan and
UlrichSchlueter
as code owners
janboll
force-pushed
the
cs-additional-permissions
branch
from
ea192e9
to
5397a2d
Compare
janboll
force-pushed
the
cs-additional-permissions
branch
from
5397a2d
to
3932d27
Compare
|
@miguelsorianod can you also help review this? It's related to the work around certs and secrets persist / retrieval / delete in CS for cluster provision flow |
| for role in [ | ||
| 'Key Vault Secrets User' | ||
| 'Key Vault Certificate User' | ||
| 'Key Vault Certificates Officer' | ||
| ]: { |
There was a problem hiding this comment.
These three roles looks about right for me.
Anything else we need to remove / add @miguelsorianod ?
There was a problem hiding this comment.
i guess you will need Key Vault Secrets Officer as well to be able to create secrets, for things like the the ACR pull secret token etc
There was a problem hiding this comment.
You are right. We need RW and I thought Key Vault Secrets User gives us that by looking at the comment in
but it seems like the comment wrong it should beRead secret contents including secret portion of a certificate with private key. Non?
| for role in [ | ||
| 'Key Vault Secrets User' | ||
| 'Key Vault Certificate User' | ||
| 'Key Vault Certificates Officer' | ||
| ]: { |
There was a problem hiding this comment.
There was a problem hiding this comment.
same as what @geoberle mentioned above we need the Key Vault Secrets Officer and not Key Vault Secrets User
| @@ -32,6 +32,7 @@ defaults: | |||
|
|
|||
| # MGMT cluster specifics | |||
| mgmt: | |||
| clusterServicePrincipalId: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-{{ .ctx.regionShort }}-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync | |||
There was a problem hiding this comment.
| clusterServicePrincipalId: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-{{ .ctx.regionShort }}-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/image-sync | |
| clusterServicePrincipalId: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-{{ .ctx.regionShort }}-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service |
like this?
| for role in [ | ||
| 'Key Vault Secrets User' | ||
| 'Key Vault Certificate User' | ||
| 'Key Vault Certificates Officer' | ||
| ]: { |
There was a problem hiding this comment.
i guess you will need Key Vault Secrets Officer as well to be able to create secrets, for things like the the ACR pull secret token etc
| } | ||
| ] | ||
|
|
||
| module msiCluserServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = [ |
| @@ -25,6 +27,14 @@ var roleResourceIds = { | |||
| 'Microsoft.Authorization/roleDefinitions/', | |||
| 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7' | |||
| ) | |||
| 'Key Vault Certificate User': subscriptionResourceId( | |||
There was a problem hiding this comment.
We could add comments to document what this role gives similar to what is done above for the other roles
There was a problem hiding this comment.
Read entire certificate contents including secret and key portion.
| 'Microsoft.Authorization/roleDefinitions/', | ||
| 'db79e9a7-68ee-4b58-9aeb-b90e7c24fcba' | ||
| ) | ||
| 'Key Vault Certificates Officer': subscriptionResourceId( |
There was a problem hiding this comment.
There was a problem hiding this comment.
Perform any action on the certificates of a key vault, excluding reading the secret and key portions, and managing permissions.
What this PR does
Jira: https://issues.redhat.com/browse/ARO-12201
Link to demo recording:
Special notes for your reviewer