Azure RBAC
- Assigning Azure Roles to the users is called as Role Assignment
- Azure RBAC Roles Refer Here
- Azure RBAC Role is a JSON with
- scope: Where can we assign the role
- actions: what is allowed
- notActions: what is denied
- Lets look at some existing RBAC roles
- Owner
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"properties": {
"roleName": "Owner",
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"properties": {
"roleName": "Contributor",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete",
"Microsoft.Resources/deploymentStacks/manageDenySetting/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Now lets try to understand the syntax of action
Microsoft.Authorization/*/Delete. For this we need to understand permission i.e. Resource Provider actions Refer Here
- Figure out all the actions, if actions are many use pattern
* and for the actions which you should not be giving access write in not actions
Create a custom role
- to do anything but should not be able to delete virtual networks
{
"id": "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81/providers/Microsoft.Authorization/roleDefinitions/6118a5ee-3c2b-4a85-b317-907416e5c1f4",
"properties": {
"roleName": "mylearning",
"description": "",
"assignableScopes": [
"/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- To do anything in SQL Severs and databases but do not delete sql server and database
{
"id": "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81/providers/Microsoft.Authorization/roleDefinitions/6118a5ee-3c2b-4a85-b317-907416e5c1f4",
"properties": {
"roleName": "mylearning",
"description": "",
"assignableScopes": [
"/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
],
"permissions": [
{
"actions": [
"Microsoft.sql/servers/*",
"Microsoft.sql/servers/databases/*"
],
"notActions": [
"Microsoft.sql/servers/delete",
"Microsoft.sql/servers/databases/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
IAM Role
-
Roles are used to give access to AWS resource to access other AWS Resources
-
Lets give an access to EC2 to do anything in s3 buckets
- Create an Amazon linux 2 based EC2 instance (as AWS CLI is preinstalled)
- SSH into this instance and execute
aws s3 ls
- Now lets create a role for ec2 with a policy s3 full access
Programmatic Access
- In AWS Programatic access refers to access given to
- Lets create a user for programmatic access (refer classroom video for guided creation)
- Credentials of this user are
- Access Key ID
- Secret Access Key
Azure CLI Access
- Azure CLI access can be given to a user (email and password)
az login and enter your credentials and cli will get same permission as what you have.
Like this:
Like Loading...
