Created
July 18, 2025 13:52
-
-
Save cicorias/74af0c17170564ae9c1a9ec9741954f4 to your computer and use it in GitHub Desktop.
Script that validates a function application in azure managed identity to cosmos container
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -epu | |
| # This script verifies that the managed identity associated with the Function App has the correct role assignment for the Cosmos SQL account. | |
| # Check if jq and az cli are installed | |
| if ! command -v jq &> /dev/null | |
| then | |
| echo "jq could not be found. Please install jq." | |
| exit | |
| fi | |
| if ! command -v az &> /dev/null | |
| then | |
| echo "Azure CLI (az) could not be found. Please install it." | |
| exit | |
| fi | |
| # Get arguments | |
| functionAppName="$1" | |
| resourceGroupName="$2" | |
| cosmosAccountName="$3" | |
| cosmosRG="$4" | |
| if [ -z "$functionAppName" ] || [ -z "$resourceGroupName" ] || [ -z "$cosmosAccountName" ] || [ -z "$cosmosRG"]; then | |
| echo "Usage: $0 <Function App Name> <FuncApp RG Name> <Cosmos SQL Account Name> <Cosmos RG Name>" | |
| exit 1 | |
| fi | |
| sayGreen() | |
| { | |
| echo -e "\033[0;32m$1\033[0m" | |
| } | |
| sayRed() | |
| { | |
| echo -e "\033[0;31m$1\033[0m" | |
| } | |
| subscriptiptionId=$(az account show --query 'id' -o tsv) | |
| roleGuid="00000000-0000-0000-0000-000000000002" | |
| roleId="/subscriptions/${subscriptiptionId}/resourceGroups/${cosmosRG}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/${roleGuid}" | |
| # Get the principal ID (Object ID) of the managed identity associated with the Function App | |
| principalId=$(az functionapp identity show --name $functionAppName --resource-group $resourceGroupName --query 'principalId' -o tsv) | |
| if [ -z "$principalId" ]; then | |
| echo "Failed to retrieve principal ID for the Function App." | |
| fi | |
| # Check if the principal ID has the correct role assignment for the Cosmos SQL account | |
| roleAssignments=$(az cosmosdb sql role assignment list --account-name $cosmosAccountName --resource-group $cosmosRG) | |
| if echo "$roleAssignments" | jq -e --arg pid "$principalId" --arg roleId "$roleId" '.[] | select(.principalId==$pid and .roleDefinitionId==$roleId)' &> /dev/null; then | |
| sayGreen "Role assignment is correct" | |
| else | |
| sayRed "Role assignment is missing or incorrect for the Function App's managed identity on the Cosmos SQL account." | |
| sayRed $principalId | |
| sayRed $roleAssignments | |
| exit 1 | |
| fi | |
| echo -e "function app principal id:\n$principalId" | |
| echo -e "roleAssignment:\n$roleAssignments" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment