fixup! Artifacts

Sheyla Trudo · Sheyla Trudo · commit 5a459579e501 · 2024-10-11T15:51:25.000-07:00
diff --git a/.pipelines/templates/artifact-storage.steps.yaml b/.pipelines/templates/artifact-storage.steps.yaml
@@ -227,9 +227,10 @@ steps:
       DEFS_FOUND=$(az role definition list --name "$ACNCI_BUILDUSER_ROLE_NAME" --custom-role-only -ojson | jq length)
 
       DEF=$(cat ./azure-container-networking/.pipelines/templates/mi-build-role.json | \
-        jq -rc \
-          --arg RESOURCE_GROUP_ID "$ACNCI_BUILD_RESOURCEGROUP_ID" \
-          '.assignableScopes[] = $RESOURCE_GROUP_ID')
+        jq -rc '.')
+      
+          #'.assignableScopes[] = $RESOURCE_GROUP_ID')
+          #--arg RESOURCE_GROUP_ID "$ACNCI_BUILD_RESOURCEGROUP_ID" 
       echo $DEF | jq .
       if (( $DEFS_FOUND < 1 )); then
         az role definition create \
diff --git a/.pipelines/templates/mi-build-role.json b/.pipelines/templates/mi-build-role.json
@@ -6,8 +6,9 @@
   "isCustom": true,
   "description": "A custom role given to managed identities created by the CI build process. This role should try to focus on owning the resources already in its scope; rather than creating new ones. Actions should be added as necessary - and not in anticipation.",
   "actions": [
-    "Microsoft.Storage/storageAccounts/blobServices/containers/*",
     "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
 
     "Microsoft.Storage/storageAccounts/tableServices/tables/read",
@@ -31,8 +32,11 @@
   ],
   "notActions": [],
   "dataActions": [
-    "Microsoft.Storage/storageAccounts/blobServices/containers/*",
-    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
 
     "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
     "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
@@ -56,6 +60,6 @@
   ],
   "notDataActions": [],
   "assignableScopes": [
-    "$RESOURCE_GROUP_ID"
+    "/"
   ]
 }
