azureazure-devopsazure-rbacazure-app-configuration

How to automate Azure App Configuration role assignment in Azure DevOps classic release pipelines?


We have a classic Azure Release pipeline for our web service. Recently we added Azure App Configuration to the service. As part of our pipeline, we run a PowerShell script to automatically assign an Azure KeyVault role to the managed identity of the app:

param (
   [string][Parameter(Mandatory=$true)]$resourceGroupName,
   [string]$keyVaultName
)

$lastDeployment = Get-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName | Sort Timestamp -Descending | Select -First 1 

if(!$lastDeployment) {
    throw "Deployment could not be found for Resource Group '$resourceGroupName'."
}

if(!$lastDeployment.Outputs) {
    throw "No output parameters could be found for the last deployment of Resource Group '$resourceGroupName'."
}

$servicePrincipalName = $lastDeployment.Outputs.Item("appname").Value
Write-host $servicePrincipalName
$servicePrincipalId = $(Get-AzureRmADServicePrincipal -DisplayName $servicePrincipalName).Id
Write-host $servicePrincipalId
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $servicePrincipalId -PermissionsToSecrets List,Get -BypassObjectIdValidation

How do we do the same for App Configuration to give Data Reader role to the last deployed app in the pipeline?


Solution

  • Based on your current PowerShell script sample, you are setting the permissions for the Service Principal.

    How do we do the same for App Configuration to give Data Reader role to the last deployed app in the pipeline?

    To meet your requirement, you can use the following PowerShell script to grant the App Configuration Data Reader role to the Service Principal.

    New-AzRoleAssignment  -ApplicationId appid -RoleDefinitionName "App Configuration Data Reader" -ResourceName  /subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}/providers/Microsoft.AppConfiguration/configurationStores/{yourappconfigurationname}
    

    PowerShell script example:

    param (
       [string][Parameter(Mandatory=$true)]$resourceGroupName,
       [string]$appconfigname
    )
    
    $lastDeployment = Get-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName | Sort Timestamp -Descending | Select -First 1 
    
    if(!$lastDeployment) {
        throw "Deployment could not be found for Resource Group '$resourceGroupName'."
    }
    
    if(!$lastDeployment.Outputs) {
        throw "No output parameters could be found for the last deployment of Resource Group '$resourceGroupName'."
    }
    
    $servicePrincipalName = $lastDeployment.Outputs.Item("appname").Value
    Write-host $servicePrincipalName
    $servicePrincipalAppId = $(Get-AzureRmADServicePrincipal -DisplayName $servicePrincipalName).AppId
    Write-host $servicePrincipalAppId
    New-AzRoleAssignment  -ApplicationId $servicePrincipalAppId -RoleDefinitionName "App Configuration Data Reader" -ResourceName  /subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}/providers/Microsoft.AppConfiguration/configurationStores/{yourappconfigurationname}
    

    For more detailed info, you can refer to this ticket and the doc: New-AzRoleAssignment