Looking for a way to create Azure policy which denies based on policy rule, but does not deny, if you are an Owner on the policy assignment scope, or if the assignment scope is a specific AAD Group (Ideally a name wild card match)
Azure Policy Info:
The working Policy is denying role assignments if the role definition id is not within the parameter values
The Desire:
Specific role definition id is denied on role assignment attempt, if it does not match the whitelist, however, role assignment attempts are NOT denied if you are an Owner on the scope, or if not possible, the assignment scope is an AAD Group name match of a wild card or regex
The issue:
We have successfully denied all role assignments, if the role definition was not allowed in the Azure policy
We the admins are in turn now being blocked by policy, when attempting to assign custom roles that are not on the allowed role definitions list.
These custom roles not on the allowed list, are being assigned to AAD Groups
Not sure if we can create some kind of exclusion if you are an owner, or maybe for the aad group naming convention (customer-group-*)
Summary:
We need this Azure policy to deny customers the ability to assign any RBAC role that does not match the role definition id on the allowed list, but us as the admins, who will have 'Owner' or 'Contributor' role, need to still be able to assign roles not on the allowed list.
I have not been able to stratify a solution via either Azure Policy or RBAC, to achieve this.
Azure Policy is not "user-aware", so you cannot exclude based on Roles.
Related
Hi terraform mates out there
I want to automate the role assignments process for service accounts and users on the Google Cloud Platform. I am actually thinking of creating IAM custom roles to get fine-grained roles terraform resources for different services, and assign that role to the users or service account I want to.
Checking the way to associate which members will get what roles, I am actually wondering what is the difference between use google_project_iam_binding and use google_project_iam_member resources.
My current understanding could fall on in using google_project_iam_binding to grant roles to service accounts and google_project_iam_member to user accounts, but I am not sure since in the documentation they use both to associate user accounts.
I also found this interesting article https://binx.io/nl/2021/12/16/how-to-name-your-google-project-iam-resources-in-terraform/
As you know, Google IAM resources in Terraform come in three flavors:
google_project_iam_policy to define a complete policy for the project.
google_project_iam_binding to define all the members of a single role.
google_project_iam_member to define a single role binding for a single principal.
I didn't know the previous sentence and I would like to deep dive in the way I can use policies, and IAM roles in a better way for my purpose.
As the documentation states:
google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other
roles within the IAM policy for the project are preserved.
google_project_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for
the project are preserved.
This means that google_project_iam_binding will grant a role to a list of members, and revokes it from any other member.
So if your project had two users e.g: jane#example.com and joe#example.com who both have roles/editor on the project. Running the following Terraform snippet will revoke roles/editor from joe#example.com as it's not present in the member list of google_project_iam_binding
resource "google_project_iam_binding" "project" {
project = "your-project-id"
role = "roles/editor"
members = [
"user:jane#example.com",
]
}
However, if you have for example jane#example.com and joe#example.com who both have roles/editor on the project. If you want to add a new editor (somone#example.com) without affecting the other roles/users, you can use google_project_iam_member
resource "google_project_iam_member" "project" {
project = "your-project-id"
role = "roles/editor"
member = "user:someone#example.com"
}
Notes from the documentation:
google_project_iam_policy cannot be used in conjunction with
google_project_iam_binding, google_project_iam_member, or
google_project_iam_audit_config or they will fight over what your
policy should be.
google_project_iam_binding resources can be used in conjunction with
google_project_iam_member resources only if they do not grant
privilege to the same role.
See:
Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
https://discuss.hashicorp.com/t/difference-between-google-project-iam-binding-and-google-project-iam-member/49645/2
https://github.com/hashicorp/terraform-provider-google/issues/8354
We have a tenant where all users are provided contributor access. Now, if i create a resource, what is the role assigned to me?
I can see that whatever resource I create, I still inherit contributor role only. But ideally, I should get owner role for the resources I create!!
What am I missing here? Can you please route me to relevant document if any. I dont see the clear information on this.
Lets say, by default all users are given a very restrictive role -> 'reader' role for all the resources.
Now, user can have all sorts of role on the resources created by him.. so this works in azure?
We have a tenant where all users are provided contributor access. Now,
if i create a resource, what is the role assigned to me?
You will get Contributor role. Because you did not explicitly assigned any role on the resource you created, you will inherit the role from the parent.
But ideally, I should get owner role for the resources I create!! What
am I missing here?
In order to get an owner role for the resource you crated, someone with owner or user access administrator role needs to grant you that role on the resource you created. You cannot grant yourself a higher role.
Lets say, by default all users are given a very restrictive role ->
'reader' role for all the resources. Now, user can have all sorts of
role on the resources created by him.. so this works in azure?
Explicit role assignment needs to be performed at the resource level.
I want to invite guest user in Azure with permissions that he could do whatever he wants in subscription scope with owner role, but he couldn't view other resource groups that he didn't make or just be able to read them.
currently that's not possible. Deny assigments are limited to a couple of resource types.
I'm trying to configure an ADF self-hosted integration runtime to be shared with another ADF in the same RG. I'm getting the following error:
(I removed the id specifics)
Error occurred when grant permission to [Object-ID]. Error: {"error":{"code":"AuthorizationFailed","message":"The client [My-Username] with object id [object-id] does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/[object-id]/resourcegroups/DataEngineering-RG/providers/Microsoft.DataFactory/factories/[Data Factory Name]/integrationRuntimes/[IR-Name]/providers/Microsoft.Authorization/roleAssignments/[Role Object ID]' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Question- what role is required for me to be able to perform this action and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
Note: I have Azure Data Factory Contributor level access currently.
Thanks in advance
what role is required for me to be able to perform this action
You need the Owner or User Access Administrator role (maybe other roles, just check this doc, see the json file of each role, if the actions include Microsoft.Authorization/roleAssignments/write , it will be able to do the operation.)
You can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, it depends on your requirements.
and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
The three levels are all correct.
The RBAC role in Azure is inherited, e.g. if you assign the Owner role to your user account in the subscription, the account will also have the Owner role in all the resource groups/resources of the subscription. But if you just assign the user account in the ADF level, it will not be able to access other resources in the subscriptions.
So to fix the issue, just navigate to the ADF mentioned in the error message/RG/Subscription in the portal -> Access control (IAM) -> Add -> add your user account as an e.g Owner role, then it will work fine.
How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.