Custom RBAC role for Deployments in Azure Resource Manager

  • December 18, 2017
  • Brian Carter
  • Azure

Azure RBAC (Role Based Access Control) is a great start for giving permissions inside of the Azure services. Sometimes the default permissions are not exactly what is needed so this will walk you through the basics of configuring a custom role, mainly for just deployments only.

Background

When deploying a server with System Center Orchestrator, my customer only needed the newly created account to have rights only to deploy resources. There are no roles for just deployment so we had to create a custom role via PowerShell. To see how we created the deployment account see my post Create AD App Account to run with PowerShell.

Prerequisites

Install Azure Resource Manager Module on the machine to do the work if you don’t have it already.

Creating a Custom RBAC Role

Creating a custom role is only possible through PowerShell and not the portal as of today. There are two different ways to create a role. One way is to use an existing role and customize it, the other way is to build the configuration from scratch. I will show the former way since it is easier because all the configuration is done, just have to remove/add what is needed.

  1. Log into Azure PowerShell using an account that can create RBAC roles which is Owner or User Access Administrator. Another option is if a custom group has Microsoft.Authorization/roleDefinition/write access inside of the subscription already.

    Login-AzureRmAccount
    
  2. Pick a role to copy, any role will do since it will be modified 100% anyway. Variable name doesn’t matter, I used $Role since that is what I was building.

    $Role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
    

    Run the $Role variable and see what the configuration is to get an understanding of how it is built.

    Name             : Virtual Machine Build
    Id               : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
    IsCustom         : False
    Description      : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
    Actions          : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...}
    NotActions       : {}
    AssignableScopes : {/}
    
  3. First thing is to just go down the list in order. Change the role’s name to whatever you would like.

    $Role.Name = "Orchestrator Machine Build Only"
    

    Optional is to confirm the change by running $Role again.

    Name             : Orchestrator Machine Build Only
    Id               : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
    IsCustom         : False
    Description      : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account theyre connected to.
    Actions          : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...}
    NotActions       : {}
    AssignableScopes : {/}
    
  4. Next option is the Id, this will be auto created so just need to null it out.

    $Role.Id = $null
    

    Again, if you want to confirm you can run the $Role again and you will see Id is now blank.

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
    Actions          : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...}
    NotActions       : {}
    AssignableScopes : {/}
    
  5. IsCustom can be left how it is since that will automatically change to True once it is created.

  6. Set the description to whatever wanted, this will show up on the little information icon next to the name, like this:

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : This only has permissions for resource deployments
    Actions          : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...}
    NotActions       : {}
    AssignableScopes : {/}
    
  7. Since Actions are going to be limited, the current ones can be cleared.

    $Role.Actions.Clear()
    

    Verification that it is correct.

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : This only has permissions for resource deployments
    Actions          : {}
    NotActions       : {}
    AssignableScopes : {/}
    
  8. Add just the deployments role will be

    $Role.Actions.Add("Microsoft.Resources/deployments/*")
    

    Results should show

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : This only has permissions for resource deployments
    Actions          : {Microsoft.Resources/deployments/*}
    NotActions       : {}
    AssignableScopes : {/}
    
  9. Clear the AssignableScopes

    $Role.AssignableScopes.Clear()
    

    Should show

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : This only has permissions for resource deployments
    Actions          : {Microsoft.Resources/deployments/*}
    NotActions       : {}
    AssignableScopes : {}
    
  10. Add in your subscription(s) that you like this to be available. If you have multiple subscriptions that you would like to add this role into just add another line.

    $role.AssignableScopes.Add("/subscriptions/11111111-1111-1111-1111-111111111111")
    

    Verify everything looks good.

    Name             : Orchestrator Machine Build Only
    Id               :
    IsCustom         : False
    Description      : This only has permissions for resource deployments
    Actions          : {Microsoft.Resources/deployments/*}
    NotActions       : {}
    AssignableScopes : {/subscriptions/11111111-1111-1111-1111-111111111111}
    
  11. Now it is time to add the role in the subscription(s) selected.

    New-AzureRmRoleDefinition -Role $Role
    

    The output will show everything is built.

    Name             : Orchestrator Machine Build Only
    Id               : aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
    IsCustom         : True
    Description      : This only has permissions for resource deployments
    Actions          : {Microsoft.Resources/deployments/*}
    NotActions       : {}
    AssignableScopes : {/subscriptions/11111111-1111-1111-1111-111111111111}
    

That is it for creating the custom role. The role will show in the portal with an orange box instead of blue. Assign the users or groups you would like.

CustomRole

Or by running PowerShell to verify it looks how you want.

Get-AzureRmRoleDefinition -Name "Orchestrator Machine Build Only"

Full script

Here is the full script of what we just built.

$Role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$Role.Id = $null
$Role.Name = "Orchestrator Machine Build Only"
$Role.Description = "Can create VMs in deployments only"
$Role.Actions.Clear()
$Role.Actions.Add("Microsoft.Resources/deployments/*")
$Role.AssignableScopes.Clear()
$Role.AssignableScopes.Add("/subscriptions/11111111-1111-1111-1111-111111111111")

New-AzureRmRoleDefinition -Role $Role