0

Is it possible to revoke a role from a User Assigned Managed Identity? From Azure Portal Dashboard, there seem to be no way to revoke an access once you grant it. There is only an "Add" button to extend it but nothing to revoke an existing one.

enter image description here

Also, same problem with Terraform:

resource "azurerm_user_assigned_identity" "aks-dev-identity" {
  resource_group_name = azurerm_resource_group.rg_aks.name
  location            = azurerm_resource_group.rg_aks.location

  name = "aks-dev-identity"
}

 resource "azurerm_role_assignment" "aks-dev-identity-role" {
   scope                = "Resource ID of the SQL DB"
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.aks-dev-identity.principal_id
 }

when I comment the "azurerm_role_assignment" resource, terraform says that it is going to revoke that role, but in reality nothing happens when I look at the "Azure Role assignments" blade in the "Identity" page.

Benjamin
  • 3,499
  • 8
  • 44
  • 77
  • Yes, if you go to the resource (SQL server here), Access control (IAM) tab, Role assignments – juunas Apr 27 '22 at 12:50
  • 1
    you are right @juunas. There seem to be a super bad UI design here. because even when I revoke the access from SQL, IAM blade, I am still able to see the "Reader" role when I browser "Azure Role Assignment" in the "Identity" object page itself which is misleading. Also I was expecting to revoke the role from the "Identity" page and not from the Principal (SQL) page since I granted the access from the "Identity" page. would you like to turn your comment into an answer? – Benjamin Apr 27 '22 at 12:57

1 Answers1

1

You can remove the role assignment if you go to the resource (SQL server in this case), then its Access control (IAM) tab, and then Role assignments tab within that. Select the assignment and click Remove.

juunas
  • 54,244
  • 13
  • 113
  • 149