3

I'm trying to lock down my Azure service principals with minimum permissions. This can be done by creating custom roles. But in defining custom roles, how do I know what actions are required for a given task? For example, if an automation account needs to runs several AzureRm cmdlets in a powershell script (Get-AzureKeyVaultSecret, New-AzureRmContainerGroup, Get-AzureRmContext, etc.), how do I find out which "Actions" each of those commands performs?

Get-AzureRMProviderOperation * lists all available Actions (currently rendering a list of 2969--a slightly overwhelming number to sort through). How do I determine which of those I need?

jschmitter
  • 1,669
  • 19
  • 29

1 Answers1

3

For example, if you want to use Azure automation account to run runbook command
Get-AzureKeyVaultSecret, we should give that SP permissions like:

Microsoft Authorization: enter image description here Microsoft Automation: Microsoft.Automation/automationAccounts/runbooks/read

Microsoft.KeyVault need those permissions:

Microsoft.KeyVault/vaults/read 
Microsoft.KeyVault/vaults/secrets/read
Microsoft.KeyVault/vaults/accessPolicies/write

Normally, we can setup roles for each provider. For example, Microsoft.KeyVault, we want SP can update key vault or read secrets, we can add Microsoft.KeyVault/vaults/write and Microsoft.KeyVault/vaults/secrets/read and Microsoft.KeyVault/vaults/read.

PS C:\Users\jason> Get-AzureRmProviderOperation * | ?{ $_.ProviderNamespace -eq 'Microsoft Key Vault' } | select Operation, OperationName

Operation                                               OperationName
---------                                               -------------
Microsoft.KeyVault/register/action                      Register Subscription
Microsoft.KeyVault/unregister/action                    Unregister Subscription
Microsoft.KeyVault/hsmPools/read                        View HSM pool
Microsoft.KeyVault/hsmPools/write                       Create or Update HSM pool
Microsoft.KeyVault/hsmPools/delete                      Delete HSM pool
Microsoft.KeyVault/hsmPools/joinVault/action            Join KeyVault to HSM pool
Microsoft.KeyVault/checkNameAvailability/read           Check Name Availability
Microsoft.KeyVault/vaults/read                          View Key Vault
Microsoft.KeyVault/vaults/write                         Update Key Vault
Microsoft.KeyVault/vaults/delete                        Delete Key Vault
Microsoft.KeyVault/vaults/deploy/action                 Use Vault for Azure Deployments
Microsoft.KeyVault/vaults/secrets/read                  View Secret Properties
Microsoft.KeyVault/vaults/secrets/write                 Update Secret
Microsoft.KeyVault/vaults/accessPolicies/write          Update Access Policy
Microsoft.KeyVault/operations/read                      Available Key Vault Operations
Microsoft.KeyVault/deletedVaults/read                   View Soft Deleted Vaults
Microsoft.KeyVault/locations/operationResults/read      Check Operation Result
Microsoft.KeyVault/locations/deletedVaults/read         View Soft Deleted Key Vault
Microsoft.KeyVault/locations/deletedVaults/purge/action Purge Soft Deleted Key Vault

After that completed, we can assign this role to your SP which you want to Get-AzureKeyVaultSecret. We can assign many roles to one SP.

Note:

Every Service principal need Microsoft Authorization permission, or this SP will not login to Azure.

Normally, Azure PowerShell command Get need read permission, New, set and Update need write permission.

Hope this helps:)

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • 1
    Is it not necessary to assign the SP to the Key Vault Access Policies? :) – juunas Dec 20 '17 at 07:06
  • 1
    @juunas thank you, you are right, we still need associate key vault access policy to the SP. – Jason Ye Dec 20 '17 at 07:12
  • Yeah, the roles in IAM give it access to the ARM API side of KeyVault, but to access the KeyVault API I guess it requires the access policy. – juunas Dec 20 '17 at 07:13
  • Thanks @JasonYe-MSFT. I have a few follow up questions: 1) Can I grant access to a child resource (Microsoft.KeyVault/vaults/secrets/read) without giving access to the parent resource (Microsoft.KeyVault/vaults/read)? 2) In the Microsoft Authorization namespace, I see 25 different operations. Which of those does a service principal need just to log in and run a simple command (assuming it already has other permissions it needs)? 3) in some places i see Microsoft.xxxxxx/xxxxxxx/action. What is /action compared to /* ? – jschmitter Dec 20 '17 at 12:32
  • @jschmitter 1)we can't grant access to a child resource without giving access to the parent resource. 2) we can grant all read permission to SP to login Azure, `Microsoft.Authorization/*/read`. 3)No, `/action` like `Microsoft.KeyVault/register/action`, or `Microsoft.KeyVault/unregister/action`, not `/*`, just one operation of that. – Jason Ye Dec 21 '17 at 06:34
  • @jschmitter Just checking in to see if the information provided was helpful. Please let me know if you would like further assistance. – Jason Ye Dec 22 '17 at 01:42