-
Notifications
You must be signed in to change notification settings - Fork 878
/
Copy path__main__.py
53 lines (41 loc) · 1.63 KB
/
__main__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
"""A program to demonstrate accessing Azure Python SDK"""
from azure.core.credentials import AccessToken
from azure.mgmt.authorization import AuthorizationManagementClient
from pulumi_azure_native import authorization, containerregistry, resources
class TokenCred:
def __init__(self, token):
self.token = token
def get_token(self, *scopes, **kwargs) -> "AccessToken":
return AccessToken(token=self.token, expires_on=-1)
def get_role_id_by_name(name, scope=""):
config = authorization.get_client_config()
client_token = authorization.get_client_token()
client = AuthorizationManagementClient(TokenCred(client_token.token), config.subscription_id)
def_pages = client.role_definitions.list(scope, filter=f"roleName eq '{name}'")
role = None
for x in def_pages:
role = x.id
break
if role is None:
raise Exception(f"role '{name}' not found at scope '{scope}'")
return role
# Create an Azure Resource Group
resource_group = resources.ResourceGroup("resource_group")
# Create a container registry
container_registry = containerregistry.Registry(
"registry",
resource_group_name=resource_group.name,
sku=containerregistry.SkuArgs(name="Basic"),
admin_user_enabled=True,
)
client_config = authorization.get_client_config()
current_principal = client_config.object_id
roledef = get_role_id_by_name("AcrPull")
authorization.RoleAssignment(
"access-from-cluster",
principal_id=current_principal,
# adjust this if running as user
principal_type=authorization.PrincipalType.SERVICE_PRINCIPAL,
role_definition_id=roledef,
scope=container_registry.id,
)