Azure Devops - Service Principal manual setup?

0
votes

I have the following Azure devops pipeline in two different Azure devops projects one for the Infrastructure team and another one for the application development team

  1. Networking, ACR and AKS Infrastructure provisioning using Terraform
  2. AKS application deployment using Helm

I don't want to grant the Azure subscription owner account or Azure subscription owner permission for the Azure devops service connection.

I have two separate service accounts created for each pipeline. Now, what are all the roles assigned to the service accounts so that Azure Devops project use the service accounts/ service principal (manual) to connect and perform the activities.

Is this a right way for production deployments?

1
azureazure-devopsazure-rbac
Any more updates for the question? Does it solve your problem?Charles Xu

1 Answers

1
votes

As I know, the service principal only can be created manually, no matter the command or the REST API. And for the production deployment, it's necessary to control the permission in a strict way. And do not give overmuch permission to the service principal is a safe way and it provides the precautions for the misoperation. More strict control in permission is to create the custom role as need if the built-in role also has more permissions than we need. See the details about Create Custom Role. And for the ACR, there is also finer control here for the token if needed.