Following least privilege with Azure RBAC custom roles
In this blog I am going to guide you through creating a custom role in Azure RBAC. This is not to be confused with custom roles in Azure AD, for which you need an Azure AD premium license for and only applies to Azure AD administration. An Azure RBAC custom role on the other hand is specific to Azure resources within a subscription.
Remind me what Azure RBAC is again..
Azure role-based access control (Azure RBAC) allows you to grant access to Azure resources by assigning a specific set of permissions to an Azure AD identity. You typically go through the following process when creating: Step 1: Decide on the scope – Should this apply to a single resource, a resource group or perhaps the whole subscription. Step 2: Decide on permissions – Typically a built-in role such as owner, contributor, reader Step 3: Assign to an identity – Can be a user, group, service principal or managed identity After the above is complete the identity can then access the resource based on the permissions you have granted.
So what’s the problem?
Considering its best practice to follow the principle of least privilege, there are scenarios where the built-in roles won’t fit your requirements. For example, what if you wanted to apply multiple resource specific permissions rather than granting access to everything? Well if this was applied at the resource group level, you’d end up with multiple entries like below: