The requirement is to create access package with few roles so that the users can perform below activities:
Read & write access to data stored in a given blob container ('abc' blob container).
Role to access azure data factory to build pipeline, process & load the data to a staging area (to Blob container or SQL server).
DDL & DML and execute permission role to access the data/database in SQL server environment.
I was referring Azure RBAC and built-in-roles but unable to get clear idea considering the above points.
My question is, is there any build in roles there OR do I need to create the custom role? And, how to create custom role (for above requirements) considering baseline security?
Is there any ways, can I get additional actions by referring which I can write custom JSON scripts?
My question is, Is the RBAC roles possible for SQL Server in a VM? If yes, how?
Additionally, if I have both PaaS instance of SQL Server and VM instance of SQL Server (that is, SQL Server in VM) - how the RBAC roles will be managed for both?
According to your requirements, please go through below workarounds if they are helpful:
Read & write access to data stored in a given blob container (‘abc'
blob container).
You can make use of built-in role like Storage Blob Data Contributor which allows operations like read, write and delete Azure Storage containers and blobs. If you want to know more in detail, go through this reference.
Role to access azure data factory to build pipeline, process & load
the data to a staging area (to Blob container or SQL server).
You can make use of built-in role like Data Factory Contributor which allows operations like create and manage data factories, as well as child resources within them. Those child resources include pipelines, datasets, linked services… With this role, you can build pipeline, process and load the data. If you want to know more in detail, go through this reference.
DDL & DML and execute permission role to access the data/database in
SQL server environment.
You can make use of built-in role like SQL Server Contributor which allows operations like manage SQL Servers and Databases. If you want to know more in detail, go through this reference.
If you want to create a custom role for all these, make sure you have Owner or User Access Administrator role on the subscription. You can create a custom role in 3 ways:
Clone a role – You can make use of existing roles and modify the permissions by adding and deleting them according to your need.
Start from scratch – In this, you must add all permissions you need manually by picking them from their providers and excluding the permissions you don’t need.
Start from JSON – Here, you can just upload a JSON file where you can create separately by including all needed permissions in Actions variable whereas excluded permissions in notActions variable. If the permissions are related to data, then add them to DataActions and notDataActions based on your need. In Assignable scope, you can include the scope where the role should be available i.e., subscription or resource group as per need.
Considering baseline security, it is always suggested to give read permissions only. But as you need write permission for blob container and building pipeline, you can just add only those(read/write) in Actions section and remaining all(delete) in NotActions section.
If you want to add additional actions, simply include those permissions in Actions section in JSON file and make sure to give read permissions to resource groups.
A sample custom role JSON file for your reference:
{
"assignableScopes": [
"/"
],
"description": "Combining all 3 requirements",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/***************************",
"name": "**********************",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
],
"notActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Custom Role Contributor",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Reference:
Azure custom roles - Azure RBAC | Microsoft Docs
I am setting up Blueprints using linked template specs that are deployed in a common subscription. The Blueprints are published to a management group so I can deploy the same set of resources to multiple subscriptions. Blueprints with out using the linked template specs are working fine but when trying to assign a blueprint that uses linked template specs to a subscription that is different from the subscription that the template specs are deployed to fails due to permissions issues accessing the template specs. What permissions and what user needs to be set on the template spec resource group so the Blueprint can access the template specs?
As a note this is using system assigned identity in the blueprint assignment.
When you use a system assigned MSI that MSI is given permissions to the sub the assignment is assigned to... so if your templateSpecs are in a different sub you won't be able to used a system assigned identity unless the templateSpecs are replicated to the sub for assignment. Not ideal...
If you use a userAssigned identity on the BP assignment then you can make sure that identity has perms to the templateSpecs beforehand.
I'm trying to create an Azure Logic App that uses a connector to ACI to run a container group. I was able to get it running correctly by creating a connector in the Logic App designer in the Azure Portal. However, the designer currently only supports connectors in the same resource group as the logic app. I would like to use a single connector for logic apps in multiple resource groups, so I need to use a connector from a different resource group. Logic Apps appear to support this just fine as long as you edit the code directly instead of using the visual designer. I am able to create the connector just fine, and the app is able to connect to it, however I am not able to authorize the connector properly. When I go to the connector and attempt to authorize it, the process works fine and it says that it is connected. However, when I then try to run the Logic App, I get the following error:
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/YYY/'. It must match the tenant 'https://sts.windows.net/XXX/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/XXX' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
XXX and YYY are two different tenant-ids. However, XXX is the tenant ID I get when I run az account show on my machine and in the Azure Cloud Shell. I only have one tenant ID and one subscription. I don't know where the other tenant ID is coming from, or how it is being used to authorize the connector when I am using the same login that is tenant ID XXX.
Is there any way I can successfully authorize the connector with my tenant ID?
I have this Worker Role which makes use of REST Management API (through https://github.com/Azure/azure-sdk-for-net), whose the most basic pre-requisite is the Subscription ID.
Is there a way to get the Subscription ID from a running (worker) role? E.g. say, through RoleEnvironment?
Sorry Gatis, there is no way to get this via any method provided by Azure*. You would need to pass this information into your role using something like the CSCFG configuration settings.
For a little more context - the subscription ID is only known at the RDFE layer. Once you are in the Fabric layer (ie. your running Worker Role) then there is no concept of a subscription ID. You can see http://blogs.msdn.com/b/kwill/archive/2011/05/05/windows-azure-role-architecture.aspx, process A and steps 1&2, for a little more info.
*If you are using AAD authentication for your Service Management API calls then you could get a list of all subscriptions for that AAD user using 'List Azure Subscriptions' - http://msdn.microsoft.com/en-us/library/azure/dn775050.aspx. With those subscriptions you could enumerate all cloud services and match the deployment ID to the deployment ID for your worker role.
Edit: Typo in first paragraph. Changed 'something like the Subscription ID' to 'something like the CSCFG configuration settings'.
I downloaded AutoScale from
http://blog.maartenballiauw.be/post/2011/03/21/Windows-Azure-and-scaling-how-(NET).aspx
and followed the instructions there.
I added it as reference to my existing azure project. But I am not sure what exactly I should pass as the user defined parameters for the 6 parameters required for auto scale.
I want to only change the instance count of my worker role depending on the number of documents to be processed.
Those parameters are all from the management API and the Silverlight Management UI
There are several more samples/tools for the Management API available - e.g. http://archive.msdn.microsoft.com/azurecmdlets/Wiki/View.aspx?title=Getting%20Started&version=1
There's also a commercial third party service available to assist - see paraleap.com
Maarten's tool has parameters:
Console.WriteLine(" AutoScale.exe <certificatefile> <subscriptionid> <servicename> <rolename> <slot> <instancecount>");
To generate the certificate file, see the instructions from that cmdlet article or see the instructions in http://blogs.msdn.com/b/avkashchauhan/archive/2010/12/30/handling-issue-csmanage-cannot-establish-secure-connection-to-management-core-windows-net.aspx
The subscription ID is available via the silverlight azure management UI
the ServiceName and RoleName are what you choose when you create the service in the UI and when you create the role in code
the Slot is "Production" or "Staging"
the instanceCount is how many instances you want to run