Feature: Reference Managed Identities in Role Assignments

[thriqon]

trafficstars

Similarly to Public IP Addresses in Load Balancers, it should be possible to reference a Managed Identity by name in a Role Assignment.

Consider the following:

---
apiVersion: managedidentity.azure.com/v1beta20181130
kind: UserAssignedIdentity
metadata:
  name: sample-uai
spec:
  location: Germany West Central
  owner:
    name: dev-sample-rg
---
apiVersion: authorization.azure.com/v1beta20200801preview
kind: RoleAssignment
metadata:
  name: 6a2d44f5-57d8-4916-9f46-ff7c9c1b338f
spec:
  location: Germany West Central
  owner:
    name: samplevnet
    group: network.azure.com
    kind: VirtualNetwork
  principalId: <NOT YET KNOWN>
  roleDefinitionReference:
    armId: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c

This cannot be applied directly to the cluster, as the principalId of the Managed Identity is yet unknown. After creation, it has to be copied manually (!) and applied afterwards.

There is prior art, as a Load Balancer accepts a Kubernetes reference of the form

reference:
  name: ...
  kind: ...
  group: ...

The principalId is part of the status subresource.

[matthchr]

We totally agree. It's possible we could use something like #2350 for this, or alternative we could do like you suggest and have special handling like we do for ARM IDs.

[super-harsh]

Related to #2056