I want to use a service principal to deploy a single ARM template to our Azure account.
I cannot find documentation for how to grant the least possible privilege, but it appears the only way to make this work is to grant contributor on the subscription.
Is there a way to limit the role on my service principal to only deploy ARM Templates or at the very least limit it to a single resource group?
actually, for each template you can figure out the minimum possible permissions by looking at the template, they would be resourcetype + /write. and the permissions to create deployments Microsoft.Resources/deployments/write.
but its really easier to just give a person contributor over the resource group. if you are concerned about security you can use Privileged Identity Management in Azure AD
In the access control (IAM) section under a Resource group you can make the service principle you created 'Contributer'. this will make sure that that user can only deploy resources within that resource group. This way the account doesn't need any permissions on the subscription level.
When you go to the Access Control section click Add, and select "Add role Assignment"
In the panel that shows you can select the role "Contributer" and lookup the Service principle you created.
Then click 'Save' to finish and you should be good to go
I tend to make service connections (with separate Service Principles) in DevOps per environment this makes it clear what resources you can touch and prevents people from accidentally deploying to incorrect locations from a pipeline because the typed in the wrong resource group name.
Related
I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).
I'm creating subscriptions in Azure with a number of RBAC roles assigned: hosting team and project team. The hosting team should have full access to everything, and the project team should have full access to everything baring a few exception, e.g. no access to the 'Networking' resource group (although they are allowed to create their own resource group(s) containing networking). We have set the RBAC owner for the project team at the subscription level, but in doing so, this also allows them to fully manage the restricted areas.
In principal the 'deny' assignments in Azure Portal would fit our needs, however they are currently only available for Azure Blueprints. Any ideas?
Block inheritance doesnt exist yet, your only option is to carefully craft and assing custom rbac roles or carefully assing built-in roles (so, never at sub level, only at resource group level).
Or use Azure Blueprints, it appears they added support for that there.
I want to find or create an azure role that has the same capabilities as an Owner, or at the very least a contributer. But this role should not have access to create azure resources.
I've been going through the pre-defined roles that exist.
this makes no sense in Azure RBAC context. you cant edit but not create resources, because this is being governed by the same permission: resource/write.
you can achieve something like that by having a role that can do anything except writes, but that would mean that it cannot edit resources, which is not what you are after, probably.
technically you can grant contributor permissions to each individual resource, that way user wont be able to create new resources, only modify existing ones (he would be able to delete resource).
I have the same requirements, and I managed to configure it by taking the Contributor role as base and adding
"Microsoft.Resources/*/write"
in notActions section of role JSON configuration.
What it does is that it prevents deployments. Every resource creation is a deployment.
As far as I have tested every "edit" operation on resources works, even deployment slot creation for Web Apps, but you can disable that too if you need.
I am trying to share a resource group in Microsoft Azure, but the users I give ownership/admin privileges can't see the resources or resource group within their Azure portal (I grant permissions on the resource group). Am I missing something in granting permissions? I checked that both users are admins in the active directory too, but I'm not entirely sure if that matters.
The resource group only contains a simple WebApp, Gateway and associated SQL server/database. The main Azure account and the other azure account are both under the same Azure subscription (BizSpark).
I am new to Azure, so thanks for any help!
Turns out I was being silly and didn't change directories. Thanks BenV!
Make sure the other users have selected your directory from the drop-down in the top-right corner of the portal. – BenV
I have an VM running in Azure which I would like the client to be able to turn on/off easily. I tought this would be simple; just a PS-script that performs an startup/shutdown/dealloc. But it seems I can't generate a "Azure Publish Settings"-file that only gives access to that VM? At the moment it seems I can only control this at the subscription level?
The Azure Publish Settings file basically contains the access information for an entire Azure subscription. It does not specify access to a specific resource (e.g. VM) but to all resources inside of a subscription.
To limit access to a subset of resources in Azure, you should be looking at the new role-based access (RBAC) functionality, which is available in the Azure preview portal and the latest Azure PowerShell cmdlets.
How it works is that you create an Azure resource group, to which you can assign roles with specific rights, and to this role you can then assign individual users.
Check the following Azure documentation link for details on how to do this.