Skip to content
This repository has been archived by the owner on Aug 2, 2024. It is now read-only.

Can we further automatize the steps to give a UAI access to a given storage account? #270

Open
thomasp-ms opened this issue Feb 13, 2023 · 3 comments
Open

Can we further automatize the steps to give a UAI access to a given storage account? #270

thomasp-ms opened this issue Feb 13, 2023 · 3 comments
Assignees
@thomasp-ms
Labels
direct customer ask documentation Improvements or additions to documentation

Comments

@thomasp-ms
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Currently, many of our tutorials and provisioning resources have some manual steps for giving a UAI access to a given storage account.

Describe the solution you'd like
It would be nice if we had scripts to automatize this process. It is not always going to be possible because in some cases we don't know the name of the storage account. However, it would still be nice to have some scripts that takes inputs given by the user.
@thomasp-ms thomasp-ms added documentation Improvements or additions to documentation direct customer ask iteration-06 labels Feb 13, 2023
@thomasp-ms thomasp-ms self-assigned this Feb 13, 2023
@jfomhover
Copy link
Contributor

Similar to #157

@jfomhover
Copy link
Contributor

I've researched this a little bit, there's a couple options, none sounds satisfactory entirely.

Option 1 : bicep

we could use our current bicep script "msi_storage_rw.bicep", but the users would have to run to figure out the UAI principal ID before running the command.

Option 2 : az cli

We could provide 3 commands like:

az role assignment create --assignee "UAIPRINCIPALID" \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/storage12345"

Option 3 : integrate in the pair bicep script

The silo creation bicep script could do it by itself, but it might work only for a specific subset of configs where the orchestrator storage is in the same resource group, and not private (no endpoint creation).

@thomasp-ms
Copy link
Contributor Author

I'm not big on Option 3 if that's not going to be applicable for all variants of setups. Options 1 and 2 seem to share the same drawback of requiring the user to figure out the UAI, but a/ we can provide explicit guidance for that and b/ this is already the case with the current state, so I don't view this as a huge drawback.

I slightly prefer O1 vs O2, because a/ it would be nice to stay consistent with bicep templates and b/ O2 would require the user to do 3 actions instead of just 1 (assuming we can't create several role assignments in a single command, otherwise this argument does not hold).

That being said, would O1 still work in cases where O3 wouldn't? (Sorry, I'm probably missing something here but I can't see why the difficulties in O3 wouldn't apply to O1).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@thomasp-ms thomasp-ms

Labels
direct customer ask documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfomhover @thomasp-ms