Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Comment update to register app as owner #262

Merged
merged 6 commits into from
Nov 11, 2020
Merged

Comment update to register app as owner #262

merged 6 commits into from
Nov 11, 2020

Conversation

anshuman-goel
Copy link
Contributor

Summary of the Pull Request

For better instruction updating the comment to indicate adding application as owner in resource group.

PR Checklist

  • Applies to work item: #xxx
  • CLA signed. If not, go over here and sign the CLI.
  • Tests added/passed
  • Requires documentation to be updated
  • I've discussed this with core contributors already. If not checked, I'm ready to accept this work might be rejected in favor of a different grand plan. Issue number where discussion took place: #xxx

bmc-msft
bmc-msft suggested changes Nov 5, 2020
View reviewed changes
Copy link
Contributor

@bmc-msft bmc-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While the Owner role is sufficient to deploy onefuzz, we should recommend using the minimum required roles.

Currently, deployment-role.json shows most of the roles required, but needs to be expanded given the recent change to user assigned managed identity creation on install.

@anshuman-goel
Copy link
Contributor Author

While the Owner role is sufficient to deploy onefuzz, we should recommend using the minimum required roles.

Currently, deployment-role.json shows most of the roles required, but needs to be expanded given the recent change to user assigned managed identity creation on install.

Currently, user assigned managed identity don't work with service principal credential deployment. I will return back to this PR after the fix.

@chkeita
Copy link
Contributor

chkeita commented Nov 5, 2020

@anshuman-goel the deployment issue is caused by the fact that your deployment credential is missing the permission AppRoleAssignment.ReadWrite.All which require admin approval currently

@anshuman-goel
Copy link
Contributor Author

anshuman-goel commented Nov 9, 2020
edited

While the Owner role is sufficient to deploy onefuzz, we should recommend using the minimum required roles.

Currently, deployment-role.json shows most of the roles required, but needs to be expanded given the recent change to user assigned managed identity creation on install.

It turns out that I cannot create because there is a limit of 2000 custom roles per tenant.

@bmc-msft
Copy link
Contributor

A few thoughts.

  1. Recommending owner is still probably not preferred. Would it be acceptable to you to adjust it to "Please see X link for the roles required"?
  2. With the change in Make the role assignment step optional in the deployment #271, the additional role of AppRoleAssignment.ReadWrite.All is only required for install, not upgrade.

@anshuman-goel
Copy link
Contributor Author

A few thoughts.

  1. Recommending owner is still probably not preferred. Would it be acceptable to you to adjust it to "Please see X link for the roles required"?
  2. With the change in Make the role assignment step optional in the deployment #271, the additional role of AppRoleAssignment.ReadWrite.All is only required for install, not upgrade.

That looks reasonable. I will update the comment shortly.

@bmc-msft bmc-msft added this to In progress in Public Roadmap Nov 11, 2020
@bmc-msft bmc-msft merged commit 382003e into microsoft:main Nov 11, 2020
Public Roadmap automation moved this from In progress to Done Nov 11, 2020
@bmc-msft bmc-msft moved this from Done to Recently Released in Public Roadmap Nov 12, 2020
@ryanspletzer
Copy link

ryanspletzer commented Apr 13, 2021
edited

@anshuman-goel the deployment issue is caused by the fact that your deployment credential is missing the permission AppRoleAssignment.ReadWrite.All which require admin approval currently

To clarify is this the AppRoleAssignment.ReadWrite.All a delegated or application permission? Former is OK but latter is much higher privilege for the service principal... We have someone trying to set this up at our org and we're reviewing it.

While the Owner role is sufficient to deploy onefuzz, we should recommend using the minimum required roles.

Currently, deployment-role.json shows most of the roles required, but needs to be expanded given the recent change to user assigned managed identity creation on install.

I'm assuming that of the common roles Contributor vs. Owner, you need to be in the Owner role on the sub for this to work, correct? Unless you use one of the more specific roles beyond these that includes the necessary permissions (or if you make a custom role for this).

@shambho shambho mentioned this pull request Apr 16, 2021
Closed
@chkeita
Copy link
Contributor

chkeita commented Apr 23, 2021
edited

@ryanspletzer

To clarify is this the AppRoleAssignment.ReadWrite.All a delegated or application permission? Former is OK but latter is much higher privilege for the service principal... We have someone trying to set this up at our org and we're reviewing it.

the delegated permission should suffice according to the documentation

I'm assuming that of the common roles Contributor vs. Owner, you need to be in the Owner role on the sub for this to work,

Correct

Unless you use one of the more specific roles beyond these that includes the necessary permissions (or if you make a custom role for this).

Yes, and the json file linked contains the definition for the custom role

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@chkeita chkeita chkeita approved these changes

@bmc-msft bmc-msft bmc-msft approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Public Roadmap
  
Recently Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anshuman-goel @chkeita @bmc-msft @ryanspletzer