Adding permissions and applying command params

lib/integrations/azureoidc/accessgraph_sync.go

@@ -9,19 +9,22 @@ import (
 	"github.com/google/uuid"
 	"github.com/gravitational/teleport/lib/cloud/provisioning"
 	"github.com/gravitational/teleport/lib/config"
+	"github.com/gravitational/teleport/lib/msgraph"
+	"github.com/gravitational/teleport/lib/utils/slices"
 	"github.com/gravitational/trace"
 	"log/slog"
 	"os"
 )
 
-func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, name string) (*provisioning.Action, error) {
+func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, managedId string, roleName string) (*provisioning.Action, error) {
 	runnerFn := func(ctx context.Context) error {
 		// Create the managed identity
 		userIdCli, err := armmsi.NewUserAssignedIdentitiesClient(subId, cred, nil)
 		if err != nil {
 			return trace.Wrap(fmt.Errorf("could not create managed identity client: %v", err))
 		}
 		id := armmsi.Identity{}
+		userIdCli.Get(ctx)
 		mgdIdRes, err := userIdCli.CreateOrUpdate(ctx, "", name, id, nil)
 		if err != nil {
 			return trace.Wrap(fmt.Errorf("could not create managed identity: %v", err))
@@ -36,15 +39,23 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, n
 		}
 		roleDefId := uuid.New().String()
 		customRole := "CustomRole"
-		// TODO(mbrock): Determine scope
-		scope := ""
+		scope := fmt.Sprintf("/subscriptions/%s", subId)
 		roleDefinition := armauthorization.RoleDefinition{
 			Name: &roleDefId,
 			Properties: &armauthorization.RoleDefinitionProperties{
-				RoleName:    &name,
-				RoleType:    &customRole,
+				RoleName: &roleName,
+				RoleType: &customRole,
 				Permissions: []*armauthorization.Permission{
-					// TODO(mbrock): Add permissions
+					{
+						Actions: slices.ToPointers([]string{
+							"Microsoft.Compute/virtualMachines/read",
+							"Microsoft.Compute/virtualMachines/list",
+							"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
+							"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/list",
+							"Microsoft.Authorization/roleDefinitions/read",
+							"Microsoft.Authorization/roleAssignments/read",
+						}),
+					},
 				},
 				AssignableScopes: []*string{&scope}, // Scope must be provided
 			},
@@ -54,7 +65,7 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, n
 			return trace.Wrap(fmt.Errorf("failed to create custom role: %v", err))
 		}
 
-		// Assign the role to the managed identity
+		// Assign the Azure role to the managed identity
 		roleAssignCli, err := armauthorization.NewRoleAssignmentsClient(subId, cred, nil)
 		if err != nil {
 			return fmt.Errorf("failed to create role assignments client: %v", err)
@@ -65,7 +76,7 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, n
 		}
 		roleAssignParams := armauthorization.RoleAssignmentCreateParameters{
 			Properties: &armauthorization.RoleAssignmentProperties{
-				PrincipalID:      mgdIdRes.ID,
+				PrincipalID:      &managedId,
 				RoleDefinitionID: roleRes.ID,
 			},
 		}
@@ -74,6 +85,12 @@ func newManagedIdAction(cred *azidentity.DefaultAzureCredential, subId string, n
 			return fmt.Errorf("failed to create role assignment: %v", err)
 		}
 
+		// Assign the Graph API permissions to the managed identity
+		graphCli, err := msgraph.NewClient(msgraph.Config{
+			TokenProvider: cred,
+		})
+		graphCli.GetServicePrincipalByAppId()
+
 		return nil
 	}
 	cfg := provisioning.ActionConfig{

lib/msgraph/client.go

@@ -45,6 +45,10 @@ const baseURL = "https://graph.microsoft.com/v1.0"
 // defaultPageSize is the page size used when [Config.PageSize] is not specified.
 const defaultPageSize = 500
 
+// graphAppId is the pre-defined application ID of the Graph API
+// Ref: [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications].
+const graphAppId = "00000003-0000-0000-c000-000000000000"
+
 // scopes defines OAuth scopes the client authenticates for.
 var scopes = []string{"https://graph.microsoft.com/.default"}
 

tool/teleport/common/teleport.go

@@ -514,10 +514,10 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
 	integrationConfAccessGraphAWSSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAWSSyncArguments.AutoConfirm)
 
 	integrationConfAccessGraphAzureSyncCmd := integrationConfAccessGraphCmd.Command("azure", "Creates/updates permissions for syncing data into Access Graph service.")
-	integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The managed identity runs the discovery service.").Required()
-	integrationConfAccessGraphAzureSyncCmd.Flag("role", "The role attached to the managed identity with the discovery permissions.").Required()
-	integrationConfAccessGraphAzureSyncCmd.Flag("subscription-id", "The subscription ID in which to discovery resources.")
-	integrationConfAccessGraphAzureSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.")
+	integrationConfAccessGraphAzureSyncCmd.Flag("managed-identity", "The managed identity runs the Discovery service.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.ManagedIdentity)
+	integrationConfAccessGraphAzureSyncCmd.Flag("role", "The role attached to the managed identity with the discovery permissions.").Required().StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.Role)
+	integrationConfAccessGraphAzureSyncCmd.Flag("subscription-id", "The subscription ID in which to discovery resources.").StringVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.SubscriptionID)
+	integrationConfAccessGraphAzureSyncCmd.Flag("confirm", "Apply changes without confirmation prompt.").BoolVar(&ccf.IntegrationConfAccessGraphAzureSyncArguments.AutoConfirm)
 
 	integrationConfAWSOIDCIdPCmd := integrationConfigureCmd.Command("awsoidc-idp", "Creates an IAM IdP (OIDC) in your AWS account to allow the AWS OIDC Integration to access AWS APIs.")
 	integrationConfAWSOIDCIdPCmd.Flag("cluster", "Teleport Cluster name.").Required().StringVar(&ccf.