1

Azure RBAC: Built-in roles - Website Contributor

Per the above link it quotes the Website Contributor should be able to

Microsoft.Web/certificates/* Create and manage website certificates

but in reality the user is not able to manage certificates (add/remove/upload new). The user gets a Access denied text laid over the SSL Certificates blade of the Azure WebApp. Validated user can upload/manage SSL certificates only if the user has Resource Group level Owner or Resource Group level Contributor role and not with Website Contributor role. Am I interpreting the Create and manage website certificates rule incorrectly OR is it supposed to work as quoted?

user836107
  • 189
  • 1
  • 9
  • You are probably missing another role permission to perform this. You can use PowerShell to perfom the same operation and it will explicitly throw the error at you, like you are missing say Microsoft.Web/modify permission or something like that. – 4c74356b41 Oct 06 '16 at 08:05

1 Answers1

0

You are right that it won't work for "Website Contributor" at Web App level. From the following URL https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-control-troubleshooting/ Microsoft state that you need write access to the whole Resource Group to be able to set SSL because "SSL certificates can be shared between sites in the same resource group and geo-location".

I'm trying to work out now how I can restrict the user from other resources in the resource group without create a new resource group specifically for my Web Apps.