TechQA.

Apply role to resources based on tags

759 views Asked by At

I have an use case like this: the dev team creates resource groups and resources in it, using azure devops pipelines. One of the pipelines steps, is to assign role to a newly created Key Vault with a newly create web app. I would like to assign a role granting "assignment power" to the pipeline SP, only for the resource groups it creates, not for the whole subscription. Checked the ABAC (attribute based access control) documentation, at first look, it seems the right way, but I can only add conditions for Data Actions roles (for now only available for storage account).

Is there a way to achieve this without granting permission to the whole subscription? Like adding a role based on a tag?

Tried: Tested role conditions

Expecting: Assign a specific role (builtin or custom) to the newly created resource group.

azure rbac abac azure-rbac
Original Q&A
1

There are 1 answers

0
Venkat V On

You can assign a specific role to the newly created resource group based on a specific tag by using Azure Policy based on a specific tag.

Here is an Azure policy definition that assigns a specific role to resource groups based on a specific tag.

{
    "mode": "All",
    "policyRule": {
      "if": {
        "field": "tags['YourTagName']",
        "exists": "true"
      },
      "then": {
        "effect": "audit",
        "actions": [
          {
            "action": "Microsoft.Authorization/roleAssignments",
            "roleDefinitionId": "/subscriptions/811174b4-ff1b-45ef-a6ca-d13917f8ec4e/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
            "condition": {
              "field": "tags['YourTagName']",
              "equals": "YourTagValue"
            }
          }
        ]
      }
    }
}

Assign Azure Policy in portal as below.

enter image description here

The if clause of the policy rule specifies that the policy should only be evaluated if the resource group has the tag YourTagName. The then clause of the policy rule specifies that the role <roledefinition-Id> should be assigned to the resource group if the resource group has the tag YourTagName and the value of the tag is YourTagValue.

Reference: azure-docs/govern-tags.md at main · MicrosoftDocs/azure-docs · GitHub

Related Questions in AZURE

Related Questions in RBAC

Related Questions in ABAC

Related Questions in AZURE-RBAC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions