Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

review used security roles #141

Open
iricigor opened this issue May 4, 2020 · 1 comment
Open

review used security roles #141

iricigor opened this issue May 4, 2020 · 1 comment
Labels
enhancement New feature or request PowerShell Tasks that can be done in PowerShell testing Testing needs to be implemented or fixed
Milestone
later

Comments

@iricigor
Copy link
Contributor

iricigor commented May 4, 2020

Currently, we sometimes use azure security roles which give more permissions than really required. For example, Storage Contributor has rights to read and delete other data, which is not required.

One possible option is to create and use Azure custom roles
@iricigor iricigor added enhancement New feature or request PowerShell Tasks that can be done in PowerShell testing Testing needs to be implemented or fixed labels May 4, 2020
@iricigor iricigor added this to the later milestone May 11, 2020
@iricigor
Copy link
Contributor Author

Here is one example, not sure though on blobServices actions

{
    "properties": {
        "roleName": "Storage Blob Data Sender",
        "description": "Can only send new data to storage blob, cannot read or delete anything.",
        "assignableScopes": [
            "/subscriptions/6558e738-8188-4771-a5fb-b62f974f971c/resourceGroups/AzmiEnvironment"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
                    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
                ],
                "notDataActions": []
            }
        ]
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request PowerShell Tasks that can be done in PowerShell testing Testing needs to be implemented or fixed
Projects
None yet
Milestone
later
Development

No branches or pull requests
1 participant
@iricigor