Jul 10 2024 07:42 AM - edited Jul 10 2024 07:55 AM
Hi,
I was testing with conditions available within "Role Based Access Control Administrator". The condition was /role assignments/write can be used to assign permissions only to service principals & not to any user, group. Similarly except Privileged roles. I dont have to a specific option for Managed Identity, so choose to restrict it to Service Princiapl. Now when i assign this to an user it works as expected. The user is not able to assign back any roles to other users or groups. But when tried with a Managed Identity it fails. That Managed Identity is not able to assign permissions to other MI's. i just recieve the below error:
╷│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '1cddb99b-58d8-49ba-b77a-ef3e55242591' with object id '1cddb99b-58d8-49ba-b77a-ef3e55242591' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<<sub-id>>/providers/Microsoft.Authorization/roleAssignments/cbc0b177-e87c-69dd-15c4-0fea750aac9a' or the scope is invalid. If access was recently granted, please refresh your credentials."││ with module.aks_identity.azurerm_role_assignment.assign-role-to-resource["ids-Operator"],│ on ../../modules/user_assigned_identity/main.tf line 17, in resource "azurerm_role_assignment" "assign-role-to-resource":│ 17: resource "azurerm_role_assignment" "assign-role-to-resource" {│╵
When I translate this error:
The Client “managed identity name” with object id…. does not have authorization…to assign “Managed Identity Operator”
Now for more details, this is the MI to which i have assigned that RBAC role with conditions set.
Jul 10 2024 07:43 AM