We are developing applications in .Net and deploying them to Azure app services. We currently have a multi-tier environment (QA/STG/PROD). In order to replicate the same environments we are using slots. However, the issue with slots is all developers who has access to QA slot are able to view/modify STG / PROD slot settings. We want to segregate this with authorization where-in users should only be able to publish apps on QA. Should we still use slots or we go with separate web apps?
As suggested in one of the comments you can use RBAC (Role Based Access Control) to control the user permissions on the web app/slots.
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but can’t grant access to others.
Reader can view existing Azure resources.
So, you could add the developers as a READER to the webapp and as a CONTRIBUTOR to one of the slots. This will prevent the web app changes
Further, you can customize the RBAC to suit your requirements.
You can create a role with custom
Refer this article:
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
You can go with slots. Each slot creates a separate URL and you could control access to the slots by Authenticating using AD.
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Related
Currently, I am working on establishing enterprise-scale landing zones for Cloud Adoption Framework in Azure.
Azure has a list of BuiltInRoles defined as mentioned in this article - https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles.
It is unclear to me which role should be assigned to which resource
Especially for the below Resources
Management Groups
Subscriptions
Vnets
Gateways,
VMs
Storage Accounts,
SQL databases
Can you suggest what are all the Roles should be assigned while provisioning any of the above listed Resources?
The Cloud Adoption framework is not about putting some roles on some arbitrary resources. You have to look at the framework in terms of hierarchical levels. Each hierarchical level has its own purpose and therefore uses its own set of permissions to deploy the resources needed for that particular step. I referenced some role mapping templates from aztfmod (Terraform + CAF) so that you get an idea about the role/permission structure.
Level 0: Core platform automation
Billing subscription role delegation (source)
Credential role mappings (source)
Launchpad role mappings (source)
Level 1: Core platform governance
Level 2: Core platform connectivity
ASVM role mappings (source)
Level 3: Application landing zones vending machine
Level 4: Applications landing zone
If you understand the levels correctly, you are able to infer what permissions are needed at what stage of the deployment of the CAF framework. For example:
level 0 is initiated by a user that is tenant administrator and Enterprise Agreement (EA) user, besides it needs to be the owner of the initial "launchpad" subscription.
From there this user will create service principals for each of the other stages of the deployment, and delegate permissions according to the principle of least privilege.
Key vaults and key vault policies are used to exchange sensitive information like credentials in between steps.
Each platform step (automation, governance, connectivity) is then run by its own service principal with its own specific set of permissions set on a specific scope (management group, subscription, resource group).
When all the platform components are in place you’ll be able to provision custom landing zones. Where you’ll again create service principals that are scoped to a single subscription. These service principals are able to deploy resources only within that landing zone.
Etc.
I would not recommend setting CAF or the permissions by hand, because it will become a pain in the ass to maintain. You could for example use aztfmod a Terraform implementation of CAF. If you follow the steps as described here, you'll create terraform configuration to deploy a CAF setup.
I am currently trying to work out a concept for a roles and rights concept. Azure RBAC already has a few built-in roles but I am trying to create a few more custom roles. Are custom roles directly linked to the RBAC? And does anyone have any suggestions which roles I should definitely add? I'm not familiar with all applications in Azure at the moment since i have only been working with azure for a few weeks, so I would appreciate some suggestions. I am also trying to understand the hierarchy and structure behind Azure RBAC.
If anyone has worked out such a concept themselves or works a lot with azure rbac, feel free to share your experiences or results!
Azure role-based access control (Azure RBAC) helps manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
Create your own custom roles. Just like built-in roles, assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of 5,000 custom roles per directory. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I need to give a colleague access to a development azure portal so that he can learn how to create web bots. As he has no experience of azure, I dont want to through him in the deep end, so would rather use RBACs, but I cant quite see what roles would be best to apply. I had been thinking about creating a resource group and then scoping the 'contributor' role assignment to the group, but would like to try to find a more granular approach where the type of resources the user can create are restricted eg excluding VMs and SQL server?
When you deploy a bot, typically these resources are created in the Azure portal:
Resources
Web App
App Service
App Service plan
Application Insights
Storage account
If you wanted to get really granular, you could make your colleague these built-in roles as these are the typical services deployed with a bot:
Web Plan Contributor
Website Contributor
Storage Account Contributor
Application Insights Component Contributor
Another approach would be to go the Resource Group route and assign a policy to audit the creation of services so you can give your college more room to test
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.