My logic app creates new container groups within same Resource Group. I have contributor RBAC role on logic app, but I don't have any RBAC role at Resource Group level. What RBAC role should I ask so that I can view all Azure Container Groups that get created by logic app in resource group? or do I need to define any custom role? We follow least permission model, so I will not get straight away 'Reader' / 'Contributor' role on Resource group for this.
Asked
Active
Viewed 224 times
1 Answers
0
Looks like operations are directly not available in built-in RBAC permissions .You may have to create custom role for the required operations .
- To create a custom role, check out the actions that are available to define your permissions for the container groups and create custom role from scratch.
Create a JSON file with actions and not actions declared. Azure resource provider operations | Microsoft Learn
JSON:
{
"assignableScopes": [
"/subscriptions/<this is optional : you may limit the visibility to one or more subscriptions>"
],
"description": "Get all the Container groups",
"Name": "Read",
"permissions": [
{
"actions": [
"Microsoft.ContainerInstance/containerGroups/read",
"Microsoft.ContainerInstance/containerGroupProfiles/read",
...
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleType": "CustomRole"
}
Reference: Create or update Azure custom roles using the Azure portal - Azure RBAC | Microsoft Learn
kavyaS
- 8,026
- 1
- 7
- 19