/// <summary> /// Creates RBAC role assignments for the virtual machine service principal. /// </summary> /// <param name="virtualMachine">The virtual machine.</param> /// <return>An observable that emits the created role assignments.</return> ///GENMHASH:ACFB6162939077C3462B391EB2DD5A18:01A98853651D800A25EE02E4E8B4FAB6 private async Task <List <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> > CreateRbacRoleAssignmentsAsync(IVirtualMachine virtualMachine, CancellationToken cancellationToken = default(CancellationToken)) { List <IRoleAssignment> roleAssignments = new List <IRoleAssignment>(); if (!this.rolesToAssign.Any() && !this.roleDefinitionsToAssign.Any()) { return(roleAssignments); } var servicePrincipal = await rbacManager.ServicePrincipals.GetByIdAsync(virtualMachine.Inner.Identity.PrincipalId, cancellationToken); await ResolveCurrentResourceGroupScopeAsync(virtualMachine); var roleAssignments1 = await Task.WhenAll(rolesToAssign.Values.Select(async(scopeAndRole) => { BuiltInRole role = scopeAndRole.Item2; string scope = scopeAndRole.Item1; return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, role.ToString(), scope, true, cancellationToken)); })); roleAssignments.AddRange(roleAssignments1); var roleAssignments2 = await Task.WhenAll(roleDefinitionsToAssign.Values.Select(async(scopeAndRole) => { string roleDefinition = scopeAndRole.Item2; string scope = scopeAndRole.Item1; return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, roleDefinition, scope, false, cancellationToken)); })); roleAssignments.AddRange(roleAssignments2); return(roleAssignments.FindAll(roleAssignment => roleAssignment != null)); }
internal static void ValidateBuiltInRoleEnumValue(BuiltInRole testMe, string parameterName) { if (((((((((testMe != BuiltInRole.AccountOperator) && (testMe != BuiltInRole.Administrator)) && (testMe != BuiltInRole.BackupOperator)) && (testMe != BuiltInRole.Guest)) && (testMe != BuiltInRole.PowerUser)) && (testMe != BuiltInRole.PrintOperator)) && (testMe != BuiltInRole.Replicator)) && (testMe != BuiltInRole.SystemOperator)) && (testMe != BuiltInRole.User)) { throw new InvalidEnumArgumentException(parameterName, (int) testMe, typeof(BuiltInRole)); } }
private static IServicePrincipal CreateServicePrincipalWithRoleForApplicationAndExportToFile( Azure.IAuthenticated authenticated, IActiveDirectoryApplication activeDirectoryApplication, BuiltInRole role, string subscriptionId, string authFilePath) { Utilities.Log("Creating Service Principal..."); string name = SdkContext.RandomResourceName("sp-sample", 20); //create a self-sighed certificate string domainName = name + ".com"; string certPassword = Utilities.CreatePassword(); Certificate certificate = Certificate.CreateSelfSigned(domainName, certPassword); // create a Service Principal and assign it to a subscription with the role Contributor return(authenticated.ServicePrincipals .Define("name") .WithExistingApplication(activeDirectoryApplication) // password credentials definition .DefinePasswordCredential("ServicePrincipalAzureSample") .WithPasswordValue(Utilities.CreatePassword()) .Attach() // certificate credentials definition .DefineCertificateCredential("spcert") .WithAsymmetricX509Certificate() .WithPublicKey(File.ReadAllBytes(certificate.CerPath)) .WithDuration(TimeSpan.FromDays(7)) // export the credentials to the file .WithAuthFileToExport(new StreamWriter(new FileStream(authFilePath, FileMode.OpenOrCreate))) .WithPrivateKeyFile(certificate.PfxPath) .WithPrivateKeyPassword(certPassword) .Attach() .WithNewRoleInSubscription(role, subscriptionId) .Create()); }
internal static void ValidateBuiltInRoleEnumValue(BuiltInRole testMe, string parameterName) { if (((((((((testMe != BuiltInRole.AccountOperator) && (testMe != BuiltInRole.Administrator)) && (testMe != BuiltInRole.BackupOperator)) && (testMe != BuiltInRole.Guest)) && (testMe != BuiltInRole.PowerUser)) && (testMe != BuiltInRole.PrintOperator)) && (testMe != BuiltInRole.Replicator)) && (testMe != BuiltInRole.SystemOperator)) && (testMe != BuiltInRole.User)) { throw new InvalidEnumArgumentException(parameterName, (int)testMe, typeof(BuiltInRole)); } }
/// <summary> /// Specifies that applications running on the virtual machine requires the given access role /// with scope of access limited to the arm resource identified by the resource id specified /// in the scope parameter. /// </summary> /// <param name="scope">Scope of the access represented in arm resource id format.</param> /// <param name="asRole">Access role to assigned to the virtual machine.</param> /// <return>VirtualMachineMsiHelper.</return> ///GENMHASH:EFFF7ECD982913DB369E1EF1644031CB:9F5B63517E99FAB38D9622B261E856C1 internal VirtualMachineMsiHelper WithRoleBasedAccessTo(string scope, BuiltInRole asRole) { this.requireSetup = true; string key = scope.ToLower() + "_" + asRole.ToString().ToLower(); if (!this.rolesToAssign.ContainsKey(key)) { this.rolesToAssign.Add(key, new System.Tuple <string, BuiltInRole>(scope, asRole)); } return(this); }
public bool IsInRole(BuiltInRole role) { ValidateBuiltInRoleEnumValue(role, "role"); TypeConverter converter = TypeDescriptor.GetConverter(typeof(BuiltInRole)); if (this.IsWindowsPrincipal()) { WindowsBuiltInRole role2 = (WindowsBuiltInRole) converter.ConvertTo(role, typeof(WindowsBuiltInRole)); return ((WindowsPrincipal) this.InternalPrincipal).IsInRole(role2); } return this.InternalPrincipal.IsInRole(converter.ConvertToString(role)); }
public bool IsInRole(BuiltInRole role) { ValidateBuiltInRoleEnumValue(role, "role"); TypeConverter converter = TypeDescriptor.GetConverter(typeof(BuiltInRole)); if (this.IsWindowsPrincipal()) { WindowsBuiltInRole role2 = (WindowsBuiltInRole)converter.ConvertTo(role, typeof(WindowsBuiltInRole)); return(((WindowsPrincipal)this.InternalPrincipal).IsInRole(role2)); } return(this.InternalPrincipal.IsInRole(converter.ConvertToString(role))); }
/// <summary> /// Creates RBAC role assignments for the virtual machine scale set MSI service principal. /// </summary> /// <param name="scaleSet">The virtual machine scale set.</param> /// <return>An observable that emits the created role assignments.</return> ///GENMHASH:2E7E577AEA0C43B5B8D7B57BEFEF1E29:DDAE54B3372466B701A29E3B6A6362B2 internal async Task <List <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> > CreateMSIRbacRoleAssignmentsAsync(IVirtualMachineScaleSet scaleSet, CancellationToken cancellationToken = default(CancellationToken)) { if (!requireSetup) { return(new List <IRoleAssignment>()); } else if (!scaleSet.IsManagedServiceIdentityEnabled) { return(new List <IRoleAssignment>()); } else if (!this.rolesToAssign.Any() && !this.roleDefinitionsToAssign.Any()) { return(new List <IRoleAssignment>()); } try { var servicePrincipal = await rbacManager .ServicePrincipals .GetByIdAsync(scaleSet.Inner.Identity.PrincipalId, cancellationToken); await ResolveCurrentResourceGroupScopeAsync(scaleSet); List <IRoleAssignment> roleAssignments = new List <IRoleAssignment>(); var roleAssignments1 = await Task.WhenAll(rolesToAssign.Values.Select(async(scopeAndRole) => { BuiltInRole role = scopeAndRole.Item2; string scope = scopeAndRole.Item1; return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, role.ToString(), scope, true, cancellationToken)); })); roleAssignments.AddRange(roleAssignments1); var roleAssignments2 = await Task.WhenAll(roleDefinitionsToAssign.Values.Select(async(scopeAndRole) => { string roleDefinition = scopeAndRole.Item2; string scope = scopeAndRole.Item1; return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, roleDefinition, scope, false, cancellationToken)); })); roleAssignments.AddRange(roleAssignments2); return(roleAssignments.FindAll(roleAssignment => roleAssignment != null)); } finally { Clear(); } }
// Methods /// <summary> /// Initializes the class by authenticating the user and then setting the /// user name and role, based on a name and a password /// </summary> /// <param name="name"></param> /// <param name="password"></param> public SampleIIdentity(string name, string password) { if (this.IsValidNameAndPassword(name, password)) { this.nameValue = name; this.authenticatedValue = true; this.roleValue = BuiltInRole.Administrator; } else { this.nameValue = "anonymouse"; this.authenticatedValue = false; this.roleValue = BuiltInRole.Guest; } }
private IRoleAssignment LookupRoleAssignmentUsingScopeAndRole(string scope, BuiltInRole role, string principalId, IAzure azure) { var roleDefinition = azure.AccessManagement.RoleDefinitions .GetByScopeAndRoleName(scope, role.Value); var roleAssignments = azure.AccessManagement.RoleAssignments .ListByScope(scope); if (roleDefinition != null) { return(roleAssignments.FirstOrDefault(a => a.RoleDefinitionId.Equals(roleDefinition.Id, StringComparison.OrdinalIgnoreCase) && a.PrincipalId.Equals(principalId, StringComparison.OrdinalIgnoreCase))); } return(null); }
/// <summary> /// Creates a RBAC role assignment (using role or role definition) for the given service principal. /// </summary> /// <param name="servicePrincipal">The service principal.</param> /// <param name="roleOrRoleDefinition">The role or role definition.</param> /// <param name="scope">The scope for the role assignment.</param> /// <return>An observable that emits the role assignment if it is created, null if assignment already exists.</return> ///GENMHASH:85AA7846D5642A1F7125332B46A901BE:A2437532CFAD0C7032A34C1FD573957E private async Task <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> CreateRbacRoleAssignmentIfNotExistsAsync(IServicePrincipal servicePrincipal, string roleOrRoleDefinition, string scope, bool isRole, CancellationToken cancellationToken = default(CancellationToken)) { string roleAssignmentName = SdkContext.RandomGuid(); try { if (isRole) { return(await rbacManager .RoleAssignments .Define(roleAssignmentName) .ForServicePrincipal(servicePrincipal) .WithBuiltInRole(BuiltInRole.Parse(roleOrRoleDefinition)) .WithScope(scope) .CreateAsync(cancellationToken)); } else { return(await rbacManager .RoleAssignments .Define(roleAssignmentName) .ForServicePrincipal(servicePrincipal) .WithRoleDefinition(roleOrRoleDefinition) .WithScope(scope) .CreateAsync(cancellationToken)); } } catch (CloudException cloudException) { if (cloudException.Body != null && cloudException.Body.Code != null && cloudException.Body.Code.Equals("RoleAssignmentExists", StringComparison.OrdinalIgnoreCase)) { // NOTE: We are unable to lookup the role assignment from principal.RoleAssignments() list // because role assignment object does not contain 'role' name (the roleDefinitionId refer // 'role' using id with GUID). return(null); } throw cloudException; } }
///GENMHASH:E52BA5580C6DD688687D5F7962138CA3:C76E712B3F0BFB0C78333420FF42894C public IdentityImpl WithAccessToCurrentResourceGroup(BuiltInRole role) { this.roleAssignmentHelper.WithAccessToCurrentResourceGroup(role); return(this); }
public IWithSystemAssignedIdentityBasedAccessOrCreate WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(BuiltInRole role) { this.containerGroupMsiHandler.WithAccessToCurrentResourceGroup(role); return(this); }
public IWithSystemAssignedIdentityBasedAccessOrCreate WithSystemAssignedIdentityBasedAccessTo(string resourceId, BuiltInRole role) { this.containerGroupMsiHandler.WithAccessTo(resourceId, role); return(this); }
/// <summary> /// Specifies a system assigned managed service identity with access to the current resource group and with the specified role. /// </summary> /// <param name="role">Access role to be assigned to the identity.</param> /// <return>The next stage of the definition.</return> ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreate ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreateBeta.WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(BuiltInRole role) { return(this.WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(role)); }
/// <summary> /// Specifies a system assigned managed service identity with access to a specific resource with a specified role. /// </summary> /// <param name="resourceId">The id of the resource you are setting up access to.</param> /// <param name="role">Access role to be assigned to the identity.</param> /// <return>The next stage of the definition.</return> ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreate ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreateBeta.WithSystemAssignedIdentityBasedAccessTo(string resourceId, BuiltInRole role) { return(this.WithSystemAssignedIdentityBasedAccessTo(resourceId, role)); }
public bool IsInRole(BuiltInRole role) { }
/// <summary> /// Specifies that applications running on the virtual machine requires the given access role /// with scope of access limited to the current resource group that the virtual machine /// resides. /// </summary> /// <param name="asRole">Access role to assigned to the virtual machine.</param> /// <return>VirtualMachineMsiHelper.</return> ///GENMHASH:F6C5721A84FA825F62951BE51537DD36:3B28EC7DC783C825B70ABCF4EB8FC542 internal VirtualMachineMsiHelper WithRoleBasedAccessToCurrentResourceGroup(BuiltInRole asRole) { return(this.WithRoleBasedAccessTo(CURRENT_RESOURCE_GROUP_SCOPE, asRole)); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on an ARM resource identified by the given resource id. An applications running /// on an Azure service with this identity can use this permission to access the resource. /// </summary> /// <param name="resourceId">Id of the resource to access.</param> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the definition.</return> Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessTo(string resourceId, BuiltInRole role) { return(this.WithAccessTo(resourceId, role)); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on an ARM resource. An applications running on an Azure service with this identity /// can use this permission to access the resource. /// </summary> /// <param name="resource">The resource to access.</param> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the definition.</return> Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessTo(IResource resource, BuiltInRole role) { return(this.WithAccessTo(resource, role)); }
///GENMHASH:0CEE95C0D1098AAAC5BF7C869DE68D7D:E5512083F6DA7EA2BA516BF9E845E0A9 public IdentityImpl WithAccessTo(string resourceId, BuiltInRole role) { this.roleAssignmentHelper.WithAccessTo(resourceId, role); return(this); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on the resource group that identity resides. An applications running on an Azure /// service with this identity can use this permission to access the resource group. /// </summary> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the definition.</return> Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessToCurrentResourceGroup(BuiltInRole role) { return(this.WithAccessToCurrentResourceGroup(role)); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on an ARM resource. An applications running on an Azure service with this identity /// can use this permission to access the resource. /// </summary> /// <param name="resource">The resource to access.</param> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the update.</return> Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessTo(IResource resource, BuiltInRole role) { return(this.WithAccessTo(resource, role)); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on the resource group that identity resides. An applications running on an Azure /// service with this identity can use this permission to access the resource group. /// </summary> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the update.</return> Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessToCurrentResourceGroup(BuiltInRole role) { return(this.WithAccessToCurrentResourceGroup(role)); }
/// <summary> /// Specifies that the identity should have the given access (described by the role) /// on an ARM resource identified by the given resource id. An applications running /// on an Azure service with this identity can use this permission to access the resource. /// </summary> /// <param name="resourceId">Id of the resource to access.</param> /// <param name="role">Access role to assigned to the identity.</param> /// <return>The next stage of the update.</return> Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessTo(string resourceId, BuiltInRole role) { return(this.WithAccessTo(resourceId, role)); }