feat: add KeyVaultCryptoOfficer assignment to CI bot#6014
Conversation
|
/assign @roivaz |
There was a problem hiding this comment.
Pull request overview
Adds Azure RBAC grants so the CI bot can call Key Vault data-plane APIs needed by upcoming E2E coverage around customer-managed keys.
Changes:
- Adds a subscription-scope
Key Vault Crypto Userrole assignment for the CI bot in the Bicep RBAC template. - Updates the DEV bootstrap script to grant the same role to the OpenShift Release Bot service principal across the listed subscriptions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| dev-infrastructure/templates/ci-bot-rbac-subscription.bicep | Adds a Key Vault Crypto User role definition ID and a new role assignment at subscription scope. |
| dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh | Grants Key Vault Crypto User via az role assignment create during DEV setup. |
095cdb6 to
c24afd0
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ahitacat The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
c24afd0 to
5070d02
Compare
5070d02 to
e6766e6
Compare
| echo " Assigning Key Vault Crypto Officer role..." | ||
| az role assignment create \ | ||
| --assignee "${APP_ID}" \ | ||
| --role "Key Vault Crypto Officer" \ | ||
| --scope "/subscriptions/${SUBSCRIPTION_ID}" 2>/dev/null || echo " (already assigned)" |
| resource keyVaultCryptoOfficerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
| name: guid(subscription().id, botPrincipalId, keyVaultCryptoOfficerRole) | ||
| scope: subscription() | ||
| properties: { |
Signed-off-by: Alba Hita Catala <ahitacat@redhat.com>
e6766e6 to
d82f816
Compare
| scope: subscription() | ||
| properties: { | ||
| principalId: botPrincipalId | ||
| principalType: 'ServicePrincipal' | ||
| roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultCryptoOfficerRole) |
| echo " Assigning Key Vault Crypto Officer role..." | ||
| az role assignment create \ | ||
| --assignee "${APP_ID}" \ | ||
| --role "Key Vault Crypto Officer" \ | ||
| --scope "/subscriptions/${SUBSCRIPTION_ID}" 2>/dev/null || echo " (already assigned)" |
|
@ahitacat: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What
Assign KeyVaultCryptoOfficer role to the CI Bot. This is the more restrictive role that grants data plane keyVault permissions.
Why
New E2E tests (introduced in this PR #5629) requires of keyVault data plane permissions to create/rotate/disable keys in the "customer" keyVault
Testing
I am not sure if this requires any test.
Special notes for your reviewer
PR Checklist