Share via

Need to do a role delete?

niceseb 1 Reputation point
2022-12-23T00:52:35.013+00:00

Could someone show me why this repo there is a need to do a role delete?

https://github.com/Azure-Samples/aks-api-server-vnet-integration-bicep/blob/main/bicep/deploy.sh

Comment section says:

Delete any existing role assignments for the user-defined managed identity of the AKS cluster
in case you are re-deploying the solution in an existing resource group 

  echo "Retrieving the list of role assignments on [$aksResourceGroupName] resource group..."  
  assignmentIds=$(az role assignment list \  
    --scope "/subscriptions/${subscriptionId}/resourceGroups/${aksResourceGroupName}" \  
    --query [].id \  
    --output tsv \  
    --only-show-errors)  
  
  if [[ -n $assignmentIds ]]; then  
    echo "[${#assignmentIds[@]}] role assignments have been found on [$aksResourceGroupName] resource group"  
    for assignmentId in ${assignmentIds[@]}; do  
      if [[ -n $assignmentId ]]; then  
        az role assignment delete --ids $assignmentId  <----- ?  
  
        if [[ $? == 0 ]]; then  
          assignmentName=$(echo $assignmentId | awk -F '/' '{print $NF}')  
          echo "[$assignmentName] role assignment on [$aksResourceGroupName] resource group successfully deleted"  
        fi  
      fi  
    done  
  else  
    echo "No role assignment actually exists on [$aksResourceGroupName] resource group"  
  fi

Because delete roles also would delete my "Owner" assigned for my login credential and I would have to ask admin to provide my login as Owner back before I can further try and deploy AKS cluster.

https://github.com/Azure-Samples/aks-api-server-vnet-integration-bicep/issues/10

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. srbhatta-MSFT 8,591 Reputation points Microsoft Employee
    2022-12-26T06:56:14.88+00:00

    Hello @niceseb ,
    Welcome to Microsoft QnA.
    This script is only deleting role assignments for the managed identity of the AKS cluster, and not for any other identities or users. It is not deleting any role assignments for your login credential, so your "Owner" role should not be affected.
    In general, deleting existing role assignments before redeploying a solution can help to ensure that the new deployment is successful and that the resource group is in a consistent state.
    Hope this helps!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.