Setup ACME Bot without Azure Active Directory

[armckinney]

Issue Statement:

It is possible that some organizations have locked down their Azure Active Directory for users who are not Account Owners - which means that even if you are an Owner on a Subscription or Tenant, you might not be able to modify Azure AD.
The Getting Started Documentation denotes using an App Service Principal in order to accomplish Authentication and Application Identity resolution, which is not possible in the aforementioned scenario.

Workaround:

The workaround for this is to utilize an external Identity Provider (Google, Github, etc.) for authentication and the Azure Manage Identity for the IAM Roles.

Getting Started Substitution Steps:

3. Enable App Service Authentication

• In the Azure Portal, open the Function blade then select the Authentication menu and enable App Service authentication. Click on the Add identity provider button to display the screen for adding a new identity provider.
• Select an external Identity Provider (i.e. GitHub or Google). Follow the respective steps for your identity provider shown here to finish setting it up.

4. Add access control (IAM) to the target (resources)

Note: A big difference here is that you should assign lowest permissions available to the ACME Bot application - in this case it is directly on the resources being managed, and not on Resource Groups as shown in the Getting Started Docs.

• Assign the following roles on their respective Resources - you should be able to select the ACME Bot's Function App Managed Identity as opposed to the Service Principal that was omitted in Step 3:
  • DNS Zone(s): DNS Zone Contributor
  • Container Apps Environment(s): Contributor
  • Container App(s): Contributor