forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path__main__.py
52 lines (40 loc) · 1.76 KB
/
__main__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
"""A program to demonstrate accessing Azure Python SDK"""
from azure.core.credentials import AccessToken
from azure.mgmt.authorization import AuthorizationManagementClient
from pulumi_azure_native import authorization, containerregistry, resources
class TokenCred:
def __init__(self, token):
self.token = token
def get_token(self, *scopes, **kwargs) -> 'AccessToken':
return AccessToken(token=self.token, expires_on=-1)
def get_role_id_by_name(name, scope=""):
config = authorization.get_client_config()
client_token = authorization.get_client_token()
client = AuthorizationManagementClient(
TokenCred(client_token.token), config.subscription_id)
def_pages = client.role_definitions.list(
scope, filter=f'roleName eq {name}')
role = None
for x in def_pages:
role = x.id
break
if role is None:
raise Exception(f'role \'{name}\' not found at scope \'{scope}\'')
return role
# Create an Azure Resource Group
resource_group = resources.ResourceGroup('resource_group')
# Create a container registry
container_registry = containerregistry.Registry(
'registry',
resource_group_name=resource_group.name,
sku=containerregistry.SkuArgs(name='Basic'),
admin_user_enabled=True)
client_config = authorization.get_client_config()
current_principal = client_config.object_id
roledef = get_role_id_by_name('AcrPull')
authorization.RoleAssignment("access-from-cluster",
principal_id=current_principal,
# adjust this if running as user
principal_type=authorization.PrincipalType.SERVICE_PRINCIPAL,
role_definition_id=roledef,
scope=container_registry.id)