ACS Kubernetes Granular permissions

acs_sp.sh

# env name = lower case, no spaces,
ENV_NAME=YOUR_ENVNAME
LOCATION=YOUR_LOCATION

# create resource group
az group create -n "${ENV_NAME}" -l "${LOCATION}"
RG_ID=$(az group show -n "${ENV_NAME}" --query id -o tsv)

# create service principal
SP_PWD=$(az ad sp create-for-rbac --name "${ENV_NAME}"  --skip-assignment --query password -o tsv)
SP_ID=$(az ad sp show --id http://"${ENV_NAME}" --query appId -o tsv)

# assign permissions at the resource group level
az role assignment create --scope ${RG_ID} --assignee ${SP_ID} --role "Virtual Machine Contributor"
az role assignment create --scope ${RG_ID} --assignee ${SP_ID} --role "Network Contributor"
# Storage is not needed
# az role assignment create --scope ${RG_ID} --assignee ${SP_ID} --role "Storage Account Contributor" 

# create registry
az acr create -l ${ENV_LOCATION} -g ${ENV_NAME} --name ${ENV_NAME} --sku Managed_Standard --admin-enabled true
ACR_LOGIN=$(az acr show -n "${ENV_NAME}" --query loginServer -o tsv)
ACR_PWD=$(az acr credential show -n "${ENV_NAME}"  --query passwords[0].value -o tsv)
ACR_ID=$(az acr show -n "${ENV_NAME}" --query id -o tsv)
# assign permissions to registry
az role assignment create --scope ${ACR_ID} --role Contributor --assignee ${SP_ID}
# create kubernetes
az acs create --resource-group ${ENV_NAME} --name ${ENV_NAME} --dns-prefix ${ENV_NAME} --orchestrator-type Kubernetes --service-principal ${SP_ID} --client-secret ${SP_PWD} --generate-ssh-keys
# get cluster credentials
az acs kubernetes get-credentials --resource-group=${ENV_NAME} --name=${ENV_NAME}