TechQA.

custom RBAC role for select azure resources app gw, vm, storage, CDN, key vault

204 views Asked by At

Hi I would need to grant users access to app gateway so that they can create, update, or delete listeners, rules, etc. It looks like they would need a network contributor role, but that will leave them with the ability to potentially delete networks and app gateway. Is that the case? What roles and permissions are needed to achieve this?

They would also need access to the key vault (secrets and certificates that I believe kv officer roles would be sufficient, I think).

I appreciate your help

azure azure-rbac
Original Q&A
1

There are 1 answers

3
Jayendran On BEST ANSWER

As per this the role would be Microsoft.Network/virtualNetworks/subnets/join/action

Since the application gateway resource is deployed inside a virtual network, we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations. You should check your Azure role-based access control to verify the users (and service principals) that operate application gateways also have at least Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. This validation also applies to the Managed Identities for Application Gateway Ingress Controller.

My recommendation would be try adding a new custom role with below permission

Microsoft.Network/applicationGateways/*
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/*

Then, try to test your role by doing the operations on the portal.Lets say if you don't have enough permission, you will get an error telling you what permissions are missing. Using that, you can enhance the custom role by providing additional permissions

I assume your virtual network/appgateway is in the same RG if so you can assign this role to that particular RG for the least privilege. Else you have to assign the role to the appropriate scope where your app gateway and vnet resource resides

For keyvualt you can use the 2 below builtin roles

Key Vault Secrets Officer
Key Vault Certificates Officer

Related Questions in AZURE

Related Questions in AZURE-RBAC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions