-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Support setting key-values/feature flags in ARM/Bicep template with data-plane RBAC #692
Comments
This would be a feature request. It's not possible to do this with existing RBAC of Azure App Configuration today. This doc has details. |
(Rightly or wrongly) I have been able to workaround this exact issue; to still achieve the level of automation I require...
NB: The service principal is a member of an AD group that has Owner access in app config Couple of annoying side effects:
|
Seems like a workaround that I had to find recently was injecting config app key values through powershell -
It works without having to enable the local authentication after the resource is deployed. Works for both key-vale and key-vault reference. Not the cleanest workaround but at least it works. I saved the key value pairs in a config.json and read the values from there and injected into the app config through that command. the |
This is not expected. Can you please share an example of the |
Any progress on this issue yet? |
It's funny that Microsofts employees (or contributors) states that things should be "feature requests" on issues that is caused by using the recommended usage by Microsoft. I quote from the same page:
So this offers "ease of access", but is it "ease of access" when we can't deploy using scripts using RBAC? This is not the first time Microsoft promotes RBAC, but has lousy support for it in various deployment tools forcing the users to still have access key based authentication active. Would really like that this "feature request" could be solved soon as it is a quite big dealbreaker using script based deployments in secure environments. |
We just released the solution to this issue in a preview version of the Azure App Configuration stores API. Docs are in the works! What does it do?There is now a setting on your configuration store that can be configured to enable data plane RBAC when deploying key-values via ARM templates. Assuming this setting is configured there are a few points to be considered.
How to enable?This preview API just rolled out so docs + UI + CLI support is still in progress. To enable it at this point in time, the configuration store management API would need to be used directly. The property is documented here. The appropriate configuration to achieve what I discussed here would be API version:
|
I assume "would be" means "soon"? (it didn't work an hour ago when I tested) |
There is an issue detected on our side that blocks this feature for some customers at the moment. We are working on a fix and the ETA is by end of next week (03/22). |
@vRune4 "would be" did mean "now". If the attempt failed due to a server error then you are most likely affected by the issue that @hahahahahaiyiwen mentioned. If it failed due to some client error, such as 'invalid property', then let us know because that would be different. |
I also tried this using Bicep similar to the configuration below (our scripts are more complex, so this is just a boiler template of it after extracting it):
But it failed with the following error:
Important to note: We're using private endpoint here (That's why I used the |
If the configuration store is locked down to a private endpoint, then you will need to have ARM private endpoint enabled on the subscription you are deploying to (docs in the works). Do you have this setup set up? |
Ok... So it is the same then (it was a bit unclear since you wrote
No, I didn't know, thanks for notifying me and I'll look at this when the other issue has been solved! |
@hahahahahaiyiwen Sure, will take a look at it. However, I read through the link you sent two weeks ago around the ARM private endpoint setup. But the problem with that is that it requires that things are done in the root management group which are impossible for me in this assignment to do as the owner denies any change outside of the subscription (which I find totally logic, but unfortunately not those who designed that functionality). I know that this isn't your doing with the private link for managing azure resources limits, but that is a blocker anyway for us to do this so I'll probably look at alternatives to do the configuration additions... |
@dozer75 I think supporting private endpoint setup at a more granular level is in the roadmap of ARM. You may want to reach out to them to understand more about the timeline. |
I suspect that, but have a hard time find where to look :/ |
@dozer75 Unfortunately there is no public documentation about it. I asked internally, and ARM doesn't have an exact timeline. They suggest submitting a feature request in Azure Resource Manager Community. |
Documentation and Azure portal UI support are now available 🥳🥳 |
A bit delayed due to other assignments, but here is the posted idea. |
Does anyone have a working example of this? I cannot seem to get this working with a service principal that has the ability to create the resource, all the Microsoft.ConfigurationStores/* permissions, and I’ve enabled pass-through. I’m getting 403 Forbidden still.
What am I missing? |
Hi @benjaminsampica is it intentional you disabled public network access? If yes, I assume you have enabled private endpoints on your App Configuration store. In this case, have you set up Azure Resource Management (ARM) private link? Please refer to the following document: |
@zhenlan thanks for responding. I believe I have this setup as well. See attached. |
Hi @benjaminsampica, yes, I can see you checked the box "Enable Azure Resource Manager Private Network Access". You also need to create an Azure Resource Manager (ARM) Private Link for your subscription so your traffic will actually go through Azure Resource Manager Private Network. Just checking the box alone won't work. Because your ARM template requests don't go through the private endpoint you created for your App Configuration store, this checkbox is only a confirmation that you allow the traffic from a different private link (the ARM private link) to your store. Can you confirm you have set up the ARM private link? |
Thanks, I see now. I’ll give this a try next week and report back. I do not
think this is configured correctly.
|
Adding values to an App Configuration Store apperently requires Access Keys to be enabled. Otherwise I get the error message "The operation cannot be performed because it requires local authentication to be enabled".
We don't want to enable this since we prefer to only grant access for AAD identities so we have audit trails.
Deployments of values should be possible without enabling local authentication (access keys)
Not sure if this is a bug or a feature request though..
The text was updated successfully, but these errors were encountered: