Trying to figure out if it is possible to have a custom IAM role where it has contributor to the resources but not the ability to create resources. We need a solution besides automating the IAM roles on a resource, I'd rather just give that role on the resource group and not let the developers be able to create new resources. Maybe I do it with Azure Policy but a role would be better since it's easier to automate.
Asked
Active
Viewed 98 times
1 Answers
0
According to Documentation it says,
By default we use the "Contributor" role that is included into Azure. All subscription resources are accessible to users with the Contributor role. If you wish to limit the Controller access permissions, you can do so by creating a custom role with a set of permissions required by the Controller
Thanks @JohnC according to SO-thread it says,
Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation.
When you are creating the custom role check whether the below azure permission is not included in that custom role as this permission gives the user the right to create a resource group. If this permission is not included in the custom role then that user will not be able to create a resource group, hence any azure resource will not be deployed.
Microsoft.Resources/subscriptions/resourceGroups/write
References:
Create or update Azure custom roles using the Azure portal - Azure RBAC | Microsoft Docs
RithwikBojja
- 5,069
- 2
- 3
- 7
-
Thanks, but I'm afraid I'll to go through ALL permissions and exclude them from */write. They also include create/update inside many of the same permissions. We'll have to figure it out I guess. – NitOxYs Jul 06 '22 at 13:58