fixup! Artifacts

Author: Sheyla Trudo

.pipelines/templates/artifact-storage.steps.yaml

@@ -49,6 +49,7 @@ steps:
          (( $INFRA_RG_LENGTH < $ACNCI_SA_POOL_SIZE )); then
         # Construct RG Name
         RG_NAME="${ACNCI_RG_PREFIX}${LOCAL_ACNCI_UNIQUE_ID}"
+        echo >&2 "##vso[task.setvariable variable=RG_NAME;]$RG_NAME"
         echo >&2 "##vso[task.setvariable variable=CREATE_NEW_RG;]true"
       else
         echo >&2 "##vso[task.setvariable variable=CREATE_NEW_RG;]false"
@@ -224,12 +225,15 @@ steps:
       set -x
       pwd
       ls -la
-      DEFS_FOUND=$(az role definition list --name "$ACNCI_BUILDUSER_ROLE_NAME" --custom-role-only -ojson | jq length)
+      DEFS_FOUND=$(az role definition list \
+        --name "$ACNCI_BUILDUSER_ROLE_NAME" \
+        --resource-group "$ACNCI_BUILDUSER_ROLE_NAME" \
+        --custom-role-only -ojson | jq length)
 
       DEF=$(cat ./azure-container-networking/.pipelines/templates/mi-build-role.json | \
         jq -rc \
-          --arg SUBSCRIPTION_RESOURCEID "/subscriptions/$SUBSCRIPTION_ID" \
-          '.assignableScopes[] = $SUBSCRIPTION_RESOURCEID')
+          --arg RESOURCEID "$ACNCI_BUILD_RESOURCEGROUP_ID" \
+          '.assignableScopes[] = $RESOURCEID')
       
       echo $DEF | jq .
       if (( $DEFS_FOUND < 1 )); then
@@ -240,7 +244,7 @@ steps:
           --role-definition "$DEF"
       fi
   env:
-    ACNCI_BUILD_RESOURCEGROUP_ID: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_ID)
+    ACNCI_BUILD_RESOURCEGROUP_ID: $[ variables['resourcegroups.ACNCI_BUILD_RESOURCEGROUP_ID'] ]
 
 - task: AzureCLI@2
   displayName: "[Check] Build User MI Roles"

.pipelines/templates/mi-build-role.json

@@ -9,7 +9,12 @@
     "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
     "Microsoft.Storage/storageAccounts/blobServices/containers/read",
     "Microsoft.Storage/storageAccounts/blobServices/containers/write",
-    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
+
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
 
     "Microsoft.Storage/storageAccounts/tableServices/tables/read",
     "Microsoft.Storage/storageAccounts/tableServices/tables/write",
@@ -23,6 +28,7 @@
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
 
@@ -41,6 +47,6 @@
   ],
   "notDataActions": [],
   "assignableScopes": [
-    "/"
+    "$RESOURCEID"
   ]
 }