MultiCloud Classroom notes 09/Oct/2024

Azure RBAC

  • Assigning Azure Roles to the users is called as Role Assignment
  • Azure RBAC Roles Refer Here
  • Azure RBAC Role is a JSON with
    • scope: Where can we assign the role
    • actions: what is allowed
    • notActions: what is denied
  • Lets look at some existing RBAC roles
  • Owner
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "properties": {
        "roleName": "Owner",
        "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • Contributor
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "properties": {
        "roleName": "Contributor",
        "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.Compute/galleries/share/action",
                    "Microsoft.Purview/consents/write",
                    "Microsoft.Purview/consents/delete",
                    "Microsoft.Resources/deploymentStacks/manageDenySetting/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • Now lets try to understand the syntax of action Microsoft.Authorization/*/Delete. For this we need to understand permission i.e. Resource Provider actions Refer Here
  • Figure out all the actions, if actions are many use pattern * and for the actions which you should not be giving access write in not actions

Create a custom role

  • to do anything but should not be able to delete virtual networks
{
    "id": "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81/providers/Microsoft.Authorization/roleDefinitions/6118a5ee-3c2b-4a85-b317-907416e5c1f4",
    "properties": {
        "roleName": "mylearning",
        "description": "",
        "assignableScopes": [
            "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • To do anything in SQL Severs and databases but do not delete sql server and database
{
    "id": "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81/providers/Microsoft.Authorization/roleDefinitions/6118a5ee-3c2b-4a85-b317-907416e5c1f4",
    "properties": {
        "roleName": "mylearning",
        "description": "",
        "assignableScopes": [
            "/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.sql/servers/*",
                    "Microsoft.sql/servers/databases/*"
                ],
                "notActions": [
                    "Microsoft.sql/servers/delete",
                    "Microsoft.sql/servers/databases/delete"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

IAM Role

  • Roles are used to give access to AWS resource to access other AWS Resources
  • Lets give an access to EC2 to do anything in s3 buckets
  • Create an Amazon linux 2 based EC2 instance (as AWS CLI is preinstalled)
  • SSH into this instance and execute aws s3 ls
  • Now lets create a role for ec2 with a policy s3 full access

Programmatic Access

  • In AWS Programatic access refers to access given to
    • AWS CLI
    • AWS SDK
  • Lets create a user for programmatic access (refer classroom video for guided creation)
  • Credentials of this user are
    • Access Key ID
    • Secret Access Key

Azure CLI Access

  • Azure CLI access can be given to a user (email and password)
  • az login and enter your credentials and cli will get same permission as what you have.
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%