I have assigned with Owner role to a resource group. I am unable to create a new resource group.
For creating a resource group whether I need owner/contributor role to subscription?
And When a user is assigned with Owner and Reader role, which role controls the user access?
OP asks for RBAC permissions necesssary to create a new resource group. #jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.
Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:
Actions
*
NotActions
Microsoft.Authorization/*/Delete
Microsoft.Authorization/*/Write
Microsoft.Authorization/elevateAccess/Action
Microsoft.Blueprint/blueprintAssignments/write
Microsoft.Blueprint/blueprintAssignments/delete
I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.
Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.
However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation
Microsoft.Resources/subscriptions/resourceGroups/write
which would provide the least privileges to achieve the desired result.
Here is how you do that.
create a file newrole.json and add below text.
Create role with below command
New-AzRoleDefinition -InputFile newrole.json
{
"Name": "XXX ReadOnly",
"Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"IsCustom": false,
"Description": "Lets you view everything, Create Resource Groups but not make any changes.",
"Actions": [
"*/read",
"Microsoft.Resources/subscriptions/resourceGroups/write"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/id"
]
}
Azure provides four levels of scope (ordered from high to low): management groups, subscriptions, resource groups, and resources.
You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn't have that policy assignment. For more info, check here
Create a new Role and assign at subscription level with below permissions.
Everything is read at subscription level, but you can create the resourcegroups
"*/read", "Microsoft.Resources/subscriptions/resourceGroups/write"
Assign owner permission to the user at the resourcegroups they want to manage.
I have assigned with Owner role to a resource group. I unable to
create new resource group.
It is a by design behavior because the owner permission works for that resource group, not for the subscription.
If you want to grant create resource group permission to that account, we can set it here:
Grant the owner permission of this subscription to that account, in this way that account will have permission to create new resource group.
Note: If we grant owner permission of this subscription to that account, that account will get all permission of all resource group.
Related
there is use-case I am looking for solution. Assume I am assigning RBAC - Owner role to user(xxx) at subscription level. But now I need to exclude this permission to one of the resource group under this Subscription. Is that feasible?
No. Azure RBAC permissions cannot be removed like that.
Owner at subscription level means Owner on all resource groups and resources under it.
You need to assign the roles at resource group level if you want to restrict them there.
The other option is to separate the resources to a different subscription.
I would like to give members of a specific role the ability to create resource groups. Can this be achieved without giving users the co-owner role at the subscription level?
You can grant them contributor rights on the specific Azure subscription, they don't have to be co-owner. This is the least-privilege built-in role available that allows you to create resource groups.
However, you could also create a custom role with only one action:
Microsoft.Resources/subscriptions/resourceGroups/write
Read more here: Custom roles for Azure resources
We currently have a Packer enterprise application that is running with the Contributor Role at the subscription level.
However, we feel that the application has too much scope. Instead we would like to give it Contributor level access for just one resource group.
Therefore, Packer would be able to create its temporary resources for creating images in just one resource group and would not need permissions for anything else in the subscription.
I created a custom role via JSON as follows: (I've changed to example subscription ID and resource names)
{
"assignableScopes": [
"/subscriptions/123456789/resourceGroups/packer"
],
"description": "Custom role for packer app, with granular permssions for packer resource group",
"id": "/subscriptions/123456789/providers/Microsoft.Authorization/roleDefinitions/123456-1234-1234-1234-12345678",
"name": "123456-1234-1234-1234-12345678",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "PackerRole",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
I then created the role using Azure CLI:
az role definition create --role-definition PackerRole.json --subscription 123456789
However, I do not know how to assign it to the Packer application. It can't be assigned and doesn't appear at the subscription scope -- presumably because the custom role only has a scope of 1 resource group.
I've tried going to Azure Active Directory --> App Registrations --> Packer, but there is nowhere here to assign my custom created role. The 'Roles and Administrators' tab gives me no clarity as none of our custom roles are here, and creating a new role only seems to allow Permission actions in the format of microsoft.directory/applications/
Viewing the Managed Application page for this app provides no answers either, only allowing for User and Group assignment.
I've scoured the documentation but haven't found anything relevant to this use case so far.
You shouldn't need a custom role for this. The Contributor role is built-in and can be assigned to any scope. The reason your custom role can't be seen is that you're missing the "isCustom": true setting from the root of the object.
If you wish to assign contributor at the resource group level, you can use the Portal, PowerShell, Azure CLI, or even the REST APIs. This is known as a role assignment.
Since you seem to be using the CLI, you can assign the role at the RG scope as follows:
Assuming your application is running using a service principal:
az role assignment create --assignee <packer-service-principal> --role Contributor --scope /subscriptions/123456789/resourceGroups/packer --assignee-principal-type ServicePrincipal
If you want to use the Portal, you can go to Resource Groups -> packer -> Access control (IAM) -> Role assignments -> Add
I have a Subscription in my company that is shared for all members of the team (all employees).
We use this subscription for test, dev and also production workloads.
We have only one subscription because it is a sponsored subscription thanks to our MS partnership, so we don't want to create other subscriptions.
I want to restrict the access to a particular resource group that will host production resources where sensible data will be managed.
Because all members of the teams are contributor in the subscription level, they have access to all resource group and I can't remove them from the resource group.
So how can I proceed if I want to revoke their access to the resource group and allow them to use all other resource groups?
So how can I proceed if I want to revoke their access to the resource
group and allow them to use all other resource groups?
AFAIK, Only way to do so is remove the users role (Contributor) at the subscription level and assign them at each resource group (other than production resource group). If a user has a higher role (say Contributor) at subscription level, then you can't assign a lower role (say Reader) at resource group level.
Essentially with Azure RBAC, when you grant access at a parent scope, those permissions are inherited to the child scopes.
You can read more about Azure RBAC here: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-rbac-works.
I am assigned an owner role in my Employer's Azure subscription. He was able to create resource groups, but I can't. We're both wondering why since I was already assigned as Owner, the highest role aside from subscription level.
When I try the az group create --name myGroup -l southeastasia command, its response is
The client 'live.com#<myAccount>#outlook.com' with object id '<object ID>'
does not have authorization to perform action 'Microsoft.Resources/subscriptions/
resourcegroups/write' over scope '/subscriptions/<subscription>/resourcegroups/<myGroup>'.
Edit: I have no subscription level resources
Do you have multiple subscriptions in your tenant? If yes, you should set it.
##list subscription
az account list --output table
##change the active subscription
az account set --subscription "My Demos"
If you only have a subscription, I suggest you could create a sp, then use the sp to create a new resource group. See this link.
Update:
You should give Owner role on subscription level, according to your screenshot, you give Owner role on resource group role, you only create resources in the resource group. You also could not create new resource group. You should give Owner role to your subscription,like below:
Note: This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
For root cause and quick resolution, refer "Common problem when using Azure resource groups & RBAC".
Well, the error clearly says you dont have rights over the scope, so you are either owner of the wrong sub or you have a role that specifically restricts that.