[bug] Assign custom_role to SPN with subscriptions scope
gevraud-cicd opened this issue · comments
Describe the bug
I have A SPN which is created in MGT subscription in level0. I want that SPN to be able to deploy level3 components like AKS, ACR etc...
I created an AD groups and put that SPN in it.
I created a custom role like this one :
custom_role_definitions = {
level3_deployer = {
name = "custom-role-level3-deployer"
useprefix = true
description = "Custom role for the SPN L3 to deploy PaaS services"
permissions = {
actions = [
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/xxx",
"Microsoft.Resources/zzz"
]
}
assignable_scopes = {
subscriptions = [
{
# Providing an object_id as string
id = "/subscriptions/xxxxxxxx-yyyy-zzzz-9999-888888888888"
}
]
}
}
}
Create role mapping
role_mapping = {
custom_role_mapping = {
subscriptions = {
logged_in_subscription = {
"level3_deployer" = {
azuread_groups = {
keys = ["level3_deployer"]
}
}
}
}
}
To Reproduce
Steps to reproduce the behavior:
- Create application + spn
- Create ad groups + add spn to it
- Create custom role and use assigned_scopes with subscription id
- Add custom role to role mapping
- Create SPN in MGT subscription
- Check
Expected behavior
I expected that assigned_scopes takes precedence over logged_in_subscription.
The custom role should be present in /subscriptions/xxxxxxxx-yyyy-zzzz-9999-888888888888 but it's only present in MGT subscription.
Additional context
We have multiple clients which need level 3 components.
We are using GitHub Actions to deploy LZs and gitops SPN from ignite to deploy those LZs.
So gitops SPN connect to the good KV and get level3_deployer SPN credentials.
That SPN is allowed to deploy PaaS for the client.
NB: if I remove /subscriptions/ in the custom_role, the plan shows / wants to change to the good subscription id. But Azure asks /subscriptions prefix
found another way