I am trying to assign an identity a role to read/write to cosmos db. I run this command:
az role assignment create \
--assignee <sp_object_id> \
--role "00000000-0000-0000-0000-000000000002" \
--scope "/subscriptions/<subscriptionId>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmos-db-name>"
This is the error I get back:
The specified role definition with ID '00000000000000000000000000000002' does not exist.
I have tried with the role name to no avail. I have tried the GUI, but this role is not visible anywhere there.
How can I assign this role?
The RBAC on Azure Cosmosdb is built similar to Azure RBAC where there is more granular control on the data operations instead of Azure resource management. The permission model describes in detail.
During implementations where SDK are used to interact with the dataplane (e.g, writing data or reading data), the application should be provided with granular data level permissions. Data plane level permission cannot be given from the portal.
Following command provides "data contributor" permissions on the "container1" within the database but only "data reader" on "container2" within the same database
az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Contributor" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerOneName }}" --principal-id $(umiObjectId)
az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Reader" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerTwoName }}" --principal-id $(umiObjectId)
Again above example only shows usage of built-in CosmosDB Data Plane RBAC, it is good practice to have custom roles for more fine grained access within each container.
NOTE: Azure CosmosDB data containers are not Azure Resources, meaning cannot be created by Azure Resource Model (ARM). So this permission model fulfills the authorization need with many security benefits
It seems ordinary role commands do not work for cosmosdb, and this command should be used instead:
az cosmosdb sql role assignment create
Related
When I issue the following command:
az storage entity query --account-name acc1 --table-name table1
I successfully get my query result with the following warning:
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
You also can add `--auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
To avoid above warning, I add --auth-mode login to the command:
az storage entity query --account-name acc1 --table-name table1 --auth-mode login
Then I get this error:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
My account is able to get the query result without --auth-mode login switch. Why it fails authorization with the switch?
When you don't specify the authentication type, it will try yo get the access key of the storage account:
This requires Microsoft.Storage/storageAccounts/listkeys/action permission. If you have contributor role oier the storage account, you have the required permission.
--auth-mode login means it will use AAD auth to connect to the storage. You can use of the built-in roles to access the storage (see documentation):
Storage Table Data Contributor
Storage Table Data Reader
When using AAD Auth, you could also disable access key authentication.
There is an good article related to RBAC management and data plane model:
Assign an Azure role for access to blob data.
I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.
As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.
In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.
az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled
With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).
Thus, attempting to create the principal I run:
# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)
az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv
which fails with the following as above (Note: contributor is too broad, will be a custom-role later):
WARNING: Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.
as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.
ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.
az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original
'"/subscriptions/guid/.../IotHubs/your-iothub-name"'
az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.
"/subscriptions/.../registries/your-acr-name"
az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.
there are some directories in StorageV2 (general purpose v2) as shown below
My role is contributor I want to give access for a user to read W the directory named '2000' and all its subdirectories How can I do this? Is this possible with Powershell.
It would be really nice if you can help
You can do this with the Azure CLI which can be run in Powershell. You should be able to do this as a contributor with the az role assignment create command.
Keep in mind that permissions with this command are granted at the container scope. Data Lake storage could be used to give folder level permissions. Blob storage doesn't actually have folders, it's just displayed that way so that it is easier to navigate.
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee <email> \
--scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"
I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:
that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)
I would prefer to get this working under az-cli
I tried...
graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI
But this results in... "The request did not have a subscription or a valid tenant level resource provider."
I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?
It is not possible to assign a service principal(MSI) to an application role currently, all commands here.
The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.
Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.
problem statement
currently, I am in the process to create/modify azure resources in the different subscription with the help of azure terraform.
error
Principal <appid> does not exist in the directory {destination-tenant-id-for which contribution role required}
consider the following scenario.
we want to create Azure AKS cluster in one subscription and in same execution, we want to update DNS define in another subscription. this process works well if we are having both i.e. DNS zone and aks cluster in the same subscription but it will not work if these two resources in the different subscription.
steps taken
create service principal without assignment
az ad sp create-for-rbac -n sp-terraform-001 --skip-assignment
assign contributor role for current sp for current subscription
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<sub-id>
*assign contributor role to current sp for a different subscription. it will fail with *
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<diff-sub-id>/<resource-group>....
please let me know correct steps to access resources in another subscriptions
You can assign rights to a service principal to multiple subscriptions, that is not an issue, as the SP sits outside of the subscription, it is in Azure AD.
However, you cannot assign rights to resources in a different Azure AD tenant to the one the service principal sits in, which it sounds like you are trying to do here.