I've created a App and added a resource group. How can I update service principal and add a second resource group? Also is it possible to make it subscription wide access instead of just resource group based?
az ad sp create-for-rbac --name "MyApp" --role contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1}
I can't find any article describing how to do this.
To add an additional resource group you can do this:
az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1} /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup2}
Scope is the set of resources that the access applies to. In Azure, you can specify a scope at four levels: management group, subscription, resource group, and resource. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope. The level you select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.
Scope for a role assignment
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-3-identify-the-needed-scope
Related
While adding managed identities to the Keyvault Access Policy is easy
Now there's quite a few VMs that should be given access to the cluster.
It seems possible to select multiple managed identities add once and ascribe the same permissions to them, but I haven't managed to do this yet (ctrl + click, alt + click, selected multiple... all does not work). I cannot find it in the documentation either, however, it clearly states "selected items" below. How can I achieve this?
You cannot assign many managed identities at once. Neither for Portal nor via Azure CLI. You will need to assign one by one unfortunately..
Usually, Azure CLI is more capable of doing more jobs but it accepts only one assignee at a time.
az role assignment create --role
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--resource-group]
[--scope]
[--subscription]
Optional Parameters
--assignee
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
--assignee-object-id
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
--assignee-principal-type
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.
accepted values: Group, ServicePrincipal, User
--condition
Condition under which the user can be granted permission.
--condition-version
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.
--description
Description of role assignment.
--resource-group -g
Use it only if the role or assignment was added at the level of a resource group.
--scope
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
--subscription
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Checkout Assign a managed identity access to a resource using Azure CLI.
Create a user-assigned managed identity and grant it access to the Key Vault. Then assign the user-assigned managed identity to each VM.
This blog might help.
I assigned a Service Principal to a VNET with
az role assignment create --assignee SP_CLIENT_ID --scope VNET_ID --role Contributor
Where can I review the configuration (Azure portal or cli)?
Update: I was looking for the subnets roles assignment which are a bit hidden under: vNet > Subnets > Managed users > Role assignments.
Where can I review the configuration (Azure portal or cli)?
1.Use Azure portal:
Navigate to the vnet in the portal -> Access control (IAM) -> Role assignments -> search for the name of your service principal like below.
2.Use Azure CLI:
az role assignment list --assignee SP_CLIENT_ID --scope VNET_ID
I have contributor access to a subscription. But i am not able to create Azure Policy and assign it to a particular resource group under the subscription. What is the role i needed to be assigned to if i need to create an Azure Policy and apply it to a subscription or a management group level.
According to my research, many Built-in roles grant permission to Azure Policy resources. The Resource Policy Contributor role includes most Azure Policy operations. Owner has full rights. Both Contributor and Reader can use all read Azure Policy operations, but Contributor can also trigger remediation. For more details, please refer to the document
According to your need, you can try to use Resource Policy Contributor role
Besides, you also can try to create custom role to meet your needs. Azure Policy has several permissions in two Resource Providers : Microsoft.Authorization and Microsoft.PolicyInsights
You will require "Owner" role to create Policy Definitions and Policy Assignments.
Please check this documentation which describes the Owner and Contributor roles and what are the Actions and NotActions for these roles.
problem statement
currently, I am in the process to create/modify azure resources in the different subscription with the help of azure terraform.
error
Principal <appid> does not exist in the directory {destination-tenant-id-for which contribution role required}
consider the following scenario.
we want to create Azure AKS cluster in one subscription and in same execution, we want to update DNS define in another subscription. this process works well if we are having both i.e. DNS zone and aks cluster in the same subscription but it will not work if these two resources in the different subscription.
steps taken
create service principal without assignment
az ad sp create-for-rbac -n sp-terraform-001 --skip-assignment
assign contributor role for current sp for current subscription
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<sub-id>
*assign contributor role to current sp for a different subscription. it will fail with *
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<diff-sub-id>/<resource-group>....
please let me know correct steps to access resources in another subscriptions
You can assign rights to a service principal to multiple subscriptions, that is not an issue, as the SP sits outside of the subscription, it is in Azure AD.
However, you cannot assign rights to resources in a different Azure AD tenant to the one the service principal sits in, which it sounds like you are trying to do here.
I am assigned an owner role in my Employer's Azure subscription. He was able to create resource groups, but I can't. We're both wondering why since I was already assigned as Owner, the highest role aside from subscription level.
When I try the az group create --name myGroup -l southeastasia command, its response is
The client 'live.com#<myAccount>#outlook.com' with object id '<object ID>'
does not have authorization to perform action 'Microsoft.Resources/subscriptions/
resourcegroups/write' over scope '/subscriptions/<subscription>/resourcegroups/<myGroup>'.
Edit: I have no subscription level resources
Do you have multiple subscriptions in your tenant? If yes, you should set it.
##list subscription
az account list --output table
##change the active subscription
az account set --subscription "My Demos"
If you only have a subscription, I suggest you could create a sp, then use the sp to create a new resource group. See this link.
Update:
You should give Owner role on subscription level, according to your screenshot, you give Owner role on resource group role, you only create resources in the resource group. You also could not create new resource group. You should give Owner role to your subscription,like below:
Note: This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
For root cause and quick resolution, refer "Common problem when using Azure resource groups & RBAC".
Well, the error clearly says you dont have rights over the scope, so you are either owner of the wrong sub or you have a role that specifically restricts that.