Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apply Azure RBAC to a resource using ARM

Is there a way to apply RBAC rules at the resource level via ARM? I was able to follow this Microsoft guide to add a user/role at the resource group level, but not at the resource. In particular, I am trying to add a new reader role to AppInsights via ARM. However, when I adjust the scope, the template just fails with this error:

"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '{guid}' is not valid. Role assignment scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}' must match the scope specified on the URI  '/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}'."
  }

I am left wondering what the scope variable is for if it cannot be changed. Is there some other place I should be modifying the scope to get this working?

Thanks in advance!

like image 797
Negatar Avatar asked Sep 14 '18 23:09

Negatar


People also ask

Does Azure ARM provide access control?

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

How do I assign an Azure RBAC role?

To assign the selected role to one or more managed identities, select Managed identity. Click Select members. In the Select managed identities pane, select whether the type is user-assigned managed identity or system-assigned managed identity. Find and select the managed identities.

Which Azure ARM resource is used to group Azure resources together?

Azure Resource Manager (ARM) Functionalities and Advantages Access control is easier with Azure Role-Based Access Control (RBAC). Azure Resource Manager ARM allows grouping of resources together in a logical container with Azure resource. ARM provides security, monitoring, auditing, and tagging for resources.

How Azure RBAC determines if a user has access to a resource?

Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the roles include Actions that have a wildcard ( * ), the effective permissions are computed by subtracting the NotActions from the allowed Actions .

What is RBAC in azure?

RBAC and role assignment using ARM Templates Solution · 15 Aug 2018 Azure supports Role Based Access Control (RBAC) as an access control paradigm. It allows to map a user (or a group of users) to a role within a given scope (resource, resource group, subscription or management group).

What is an Azure Resource Manager (ARM) template?

This quickstart uses an Azure Resource Manager template (ARM template) to grant the access. An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax.

What is Azure role-based access control?

Thank you. Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this quickstart, you create a resource group and grant a user access to create and manage virtual machines in the resource group. This quickstart uses an Azure Resource Manager template (ARM template) to grant the access.

What is role based access control (RBAC)?

Azure supports Role Based Access Control (RBAC) as an access control paradigm. It allows to map a user (or a group of users) to a role within a given scope (resource, resource group, subscription or management group ). For instance, we could map my user identity to a Virtual Machine Contributor in the scope of a resource group.


3 Answers

Microsoft has finally provided documentation explaining this:

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#resource-scope

like image 145
Andrew Shepherd Avatar answered Oct 08 '22 11:10

Andrew Shepherd


The key is to drop the scope property, and instead nest the role assignment under the desired resource by using Microsoft.FooResource/BarSubType/providers/roleAssignments as the type, and using the following format for the name: {resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}. Note that the GUID should be stable but unique to this role assignment, one easy option is guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish').

Here is a template that shows you how to apply RBAC to a single resource, using a user-assigned managed identity defined in the same template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": { 
      "storageAccountName": { "type": "string" },
      "userAssignedIdentityName": { "type": "string" }
  },
  "variables": {
    "ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
  },
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "name": "[parameters('userAssignedIdentityName')]",
      "location": "[resourceGroup().location]",
      "apiVersion": "2018-11-30"
    },
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[parameters('storageAccountName')]",
      "location": "[resourceGroup().location]",
      "apiVersion": "2016-12-01",
      "sku": { "name": "Standard_LRS" },
      "kind": "Storage",
      "resources": [
          {
              "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
              "apiVersion": "2017-05-01",
              "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
              "properties": {
                "roleDefinitionId": "[variables('ContributorRoleDefinition')]",
                "principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"
              },
              "dependsOn": [
                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
                  "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
              ]
         }
      ]
    }
  ]
}

Source: https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

like image 36
Ohad Schneider Avatar answered Oct 08 '22 11:10

Ohad Schneider


You apply RBAC rules at the resource level via an ARM and there is example template that applies RBAC rules at Azure VM here:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "Principal ID associated with the subscription ID"
            }
        },
        "virtualMachineName": {
            "type": "string",
            "metadata": {
                "description": "Name of the virtual machine"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "metadata": {
                "description": "Built In Role Type for the Virtual Machine"
            },
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader",
                "Virtual Machine Contributor"
            ]
        },
        "guid": {
            "type": "string",
            "metadata": {
                "description": "A new GUID used to identify the role"
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]",
        "resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]"
    },
    "resources": [
        {
            "type": "Microsoft.Compute/virtualMachines/providers/roleAssignments",
            "apiVersion": "2017-05-01",
            "name": "[variables('resourceName')]",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ]
}

Hope this will help you.

like image 28
Charles Xu Avatar answered Oct 08 '22 10:10

Charles Xu