An app needs to list RBAC role assignment for a given ressource. This works locally using my own credentials (AzureCliCredential
), but not when deployed in Azure using ManagedIdentityCredential
. I suppose this is because I am the subscription owner.
How would I authorize the MSI to have read/list permissions with regards to the ARM itself?
The following code is used.
public static async Task<RoleAssignmentsResult> GetRoleAssignmentsFor(string resource)
{
const string VERSION = "2018-01-01-preview";
string url = $"https://management.azure.com/{resource}/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version={VERSION}";
Stream respBody = await _request(url);
var result = await JsonSerializer.DeserializeAsync<RoleAssignmentsResult>(respBody);
return result;
}
private static async Task<Stream> _request(string url)
{
HttpRequestMessage req = new(HttpMethod.Get, new Uri(url));
string[] scopes = { "https://management.azure.com" };
ManagedIdentityCredential cred = new();
TokenRequestContext ctx = new(scopes);
return await cred.GetTokenAsync(ctx);
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", jwt.Token);
HttpResponseMessage res = await new HttpClient.SendAsync(req);
return await res.Content.ReadAsStreamAsync();
}
Thanks @juunas. As you proposed in the comments to the question, assigning the Reader
role for the resource to the MSI did the trick. As I was interested in listing role assignments for individual KeyVault secrets, I chose the vault as the scope.