I'd like to assign a user assigned manage identity a role in resource group scope for Azure Container Instances related operation, such as list containers in a RG, start or stop an container group, is there any build-in role available for this purpose? I searched in the role list, not find any:
Usually,to use a managed identity, that particular identity should have the access granted to following one or more Azure service resources like azure web app, azure key vault(with access policies or roles), or azure storage account in the subscription.
Select Access control (IAM).
and Add role assignment
Select roles , select appropriate role that you want the user identity to
have.
Here i am giving for storage access
To give storage access select storage blob data reader role or
contributer role
Then select the managed identity and select required user managed
identity.
But please note that from Limitations: Enable managed identity in container group - Azure Container Instances | Microsoft Docs
Currently you can't use a managed identity in a container group deployed to a virtual network.
Container groups which are running in Azure Virtual Networks do not support managed identity authentication image pulls with ACR.
If system assigned identity is enabled, then the group must have 'Contributor' role in order to have access to a storage account.
Reference:
use-a-managed-identity | Microsoft Docs
Related
I'm trying to set up the external location for the unity catalog. it was able to connect to storage while trying to test a connection in which storage access is limited to selected vnets and ips. but I'm getting a 403 error while accessing the storage from the notebook even adding the blob contributor access to managed identity. Did I miss anything?
my assumption is since I added a connector to the trusted resources it will bypass the network rules.
Databricks throwing 403 error
The main reason for 403 error is related to authorization issues for accessing azure storage account to avoid access related issues Assign the application to a role, make sure to assign the Storage Blob Data Contributor role to the service principal.
You need to have only (Storage Blob Data Contributor) Role specified on your storage for your service principal. To assign Storage Blob Data Contributor roles using portal follow this link.
I have created demt1 storage account for demo, open Access controls -> Role assignment
 with the access token.
we used an existing storage account while setting up the azure media service.
The Managed Identity of Media Services account must have the Storage Blob Contributor role for the storage account.
To check this in the Azure Portal, first find out which identity set for the storage account by selecting "Storage accounts" from the menu of the Media Services account, this should be either "System-assigned" or the name of a user-assigned Managed Identity. Next, go to the storage account in the portal, select "Access Control (IAM)" from the menu, select "Role assignments" from the toolbar, then add the role assignment. When adding the role assignment, the Role should be set to "Storage Blob Data Contributor" and the Members should be set to the Managed Identity used by the Media Services account to access the storage account. After adding the role assignment, it may take a few minutes for the change to take effect.
Other considerations
Adding the role assignment should fix this issue. If not, the issue may be related to the storage account configuration. Check that the following storage account options are set:
Performance: Standard
Enable hierarchical namespace: Off
Allow Azure services on the trusted services list to access this storage account: Enabled
This option is found in the "Networking" section of the storage portal pages, under "Firewalls and virtual networks", when the "Allow access from" ... "Selected networks" option is selected
I have the following:
Azure App Services in Tenant A
Azure SQL Server in Tenant A
Azure App/Enterprise Registration in Tenant B
The point of this separation was to restrict specific users to the Azure App Services website. How can I get to the point that I can execute this code on my SQL server to grant access to the app registration which sits in Tenant B?
CREATE USER [tenant_b_app_reg] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember [db_datareader], [tenant_b_app_reg];
This post seems similar to my issue (Grant service principal access to application in other tenant), but I cannot follow just the code posting with little context. It is also unclear why we post the same value multiple times object-id-of-sp-in-one-tenant in one command and it is also unclear what role-id is.
• As per your query, the ‘’ is occurring multiple times in the related script because ‘object-id’ and the ‘principal-id’ of the app in one tenant is different as object-id refers to the unique id of the app registered in that tenant and the principal-id refers to the entity that requires access to that application in that tenant or across other tenants. The principal-id refers to the service principal object that defines the access policy and the permissions for that application in the Azure AD tenant.
• Whereas ‘role-id’ is the azure built-in role based on azure role-based access control functionality that is to be assigned to that application or any custom azure role that is created for assigning the scoped access controls and permissions within that concerned role, i.e., may that be ‘contributor’ or ‘user access administrator’.
‘New-AzureADServiceAppRoleAssignment `
-ObjectId <object-id-of-sp-in-one-tenant> `
-Id <role-id> `
-PrincipalId <object-id-of-sp-in-one-tenant> `
-ResourceId <app-id-in-other-tenant>’
• Thus, you can refer to the script in the other thread and replace the object-id and the principal-id with the ones in your environment appropriately. Also, you can try granting database access to a managed identity user in Azure AD for this purpose. You can do this by connecting to a SQL database with a system-assigned managed identity.
• Once, managed identity on app is enabled, grant permissions to that managed identity in SQL Database with the required SQL security role on the SQL prompt. Once done, modify the SQL connection string and publish the changes done. Also, ensure to enter the appropriate app-id and user-id in the powershell commands to assign the managed identity to access SQL database with the enterprise app registration. Please find the below documentation link for more details on creating a managed identity for the SQL DB for an application across the tenants: -
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi?tabs=windowsclient%2Cdotnet
https://learn.microsoft.com/en-us/azure/app-service/tutorial-dotnetcore-sqldb-app?pivots=platform-windows
I am trying to create Azure Kubernetes Service (AKS) with earlier created virtual network (VN) and container registry (ACR).
I am facing below errors.
My user id does not have sufficient permissions to perform this action. Only with basic network settings and no ACR binding, I can create AKS cluster.
Which role, at Active Directory (AD) level and at subscription level, should my user id be having to create this AKS service?
You don't need any permissions on Azure AD level for this to work, but you need Microsoft.Authorization/roleAssignments/write permissions on the adequate scopes to be able to assign permissions. A built-in role of Owner grants that. Otherwise - create a custom role and assign that to your user.
I want to programmatically give an Azure VM a contributor role to another modify things in another resources such as Route tables, Storage accounts.
https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/howto-assign-access-cli
Above msft doc explain how one can give MSI enabled VM a contributor role to Azure Storage Account using Azure CLI. Can someone achieve the same using Azure Python SDK instead of Azure CLI ? Is it possible to achieve the same purpose without enabling MSI?
If you create a Service Principal for your VM, and push somehow the credentials on the VM, you can avoid MSI. But MSI was created on purpose to avoid that, since it's not really a simple process nor safe to push credentials inside a VM.
To assign a role to an Active Directory ID (whatever using MSI or dedicated ServicePrincipal), you can use this code to assign role (using azure-mgmt-authorization package).
https://github.com/Azure-Samples/compute-python-msi-vm#role-assignement-to-the-msi-credentials
# Get "Contributor" built-in role as a RoleDefinition object
role_name = 'Contributor'
roles = list(authorization_client.role_definitions.list(
resource_group.id,
filter="roleName eq '{}'".format(role_name)
))
assert len(roles) == 1
contributor_role = roles[0]
# Add RG scope to the AD id
# This assumes "sp_id" is either a MSI id or a SP id
role_assignment = authorization_client.role_assignments.create(
resource_group.id,
uuid.uuid4(), # Role assignment random name
{
'role_definition_id': contributor_role.id,
'principal_id': sp_id
}
)
Then this AD id will be able to act only on that role and nothing more.