feat: add identity and role assignment lib steps#1197
Conversation
Add CreateManagedIdentity (exports IDENTITY_CLIENT_ID and IDENTITY_ID as ADO variables) and CreateRoleAssignment to lib/steps/azure. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
xinWeiWei24
requested review from
liyu-ma,
vittoriasalim and
wonderyl
as code owners
| --name "${name}" \\ | ||
| --subscription "${subscription}" \\ | ||
| --query clientId -o tsv) | ||
| echo "##vso[task.setvariable variable=IDENTITY_CLIENT_ID]$IDENTITY_CLIENT_ID" |
There was a problem hiding this comment.
The functions here push the value to a hard-coded var IDENTITY_CLIENT_ID. Can we take a param to allow user to pass in a env name they want to store the value? This would help if there are multiple identities they want to create.
| --query clientId -o tsv) | ||
| echo "##vso[task.setvariable variable=IDENTITY_CLIENT_ID]$IDENTITY_CLIENT_ID" | ||
|
|
||
| IDENTITY_ID=$(az identity show \\ |
There was a problem hiding this comment.
Does az identity show return both client id and identity id? I am a bit surprised if you want to call it twice.
There was a problem hiding this comment.
Thanks! now only call once
| --assignee "${assignee}" \\ | ||
| --subscription "${subscription}" | ||
| """ | ||
| AzCli(serviceConnection, "Assign role ${role}", script) |
There was a problem hiding this comment.
Would be good to show assignee as well
| @@ -0,0 +1,12 @@ | |||
| import azure_pipelines.ap.steps | |||
|
|
|||
| CreateRoleAssignment = lambda serviceConnection: str, scope: str, role: str, assignee: str, subscription: str -> steps.Step { | |||
There was a problem hiding this comment.
This function doesn't provide much value, would it be easier if the user just call AzCli with the script directly?
There was a problem hiding this comment.
When create a function, ask yourself, what does this function encapsulate?
There was a problem hiding this comment.
This is intended to be invoked multiple times, since the 3 input variables ( scope, role, assignee) can differ per call. Wrapping it as a function avoids duplicating the same CLI script logic.
There was a problem hiding this comment.
will delete this and add the step to subnet creation
| @@ -0,0 +1,18 @@ | |||
| import azure_pipelines.ap.steps | |||
|
|
|||
| CreateManagedIdentity = lambda serviceConnection: str, subscription: str, resourceGroup: str, name: str, exportVar: str = "IDENTITY" -> steps.Step { | |||
There was a problem hiding this comment.
IIUC, you always need to create managed identity, then assign role, then bind it to a service account. Does it make sense to encapsulate the 3 steps into one?
There was a problem hiding this comment.
Not for my case. I’m not binding it to a service account, and the role assignments target different resources and roles.
4 participants
Add CreateManagedIdentity (exports IDENTITY_CLIENT_ID and IDENTITY_ID as ADO variables) and CreateRoleAssignment to lib/steps/azure.