0

I am trying to create Azure Custom RBAC and it accepts wildcard in action/noaction but it does not work when I try wildcard in assinableScopes.

I need to restrict permissions for certain resource group but I don't know the exact name of the resource group. However, I do know the naming convention and I would like to be able to use wildcard in the assinableScopes.

Example of what I would like to do but Azure does not allow:

{
    "properties": {
        "roleName": "MySampleCustomRole",
        "description": "My Sample Custom Role",
        "assignableScopes": [
            "/subscriptions/*/resourceGroups/ABCDXYZ-*"
        ],
        "permissions": [{
                "actions": [],
                "notActions": [
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/disks/beginGetAccess/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
Prodip
  • 436
  • 8
  • 21
  • 1
    It's not possible to use wildcards in roles except for the actions. You can however assign roles by Azure Policy using wildcards in resource names. Marco Laitinen wrote [a nice blog](https://cloud.solita.fi/en/using-azure-policies-to-audit-and-automate-rbac-role-assignments/) about assigning Azure Roles through policy – Roderick Bant Jan 17 '23 at 21:30
  • @RoderickBant - Thank you for the suggestion and reference to policy driven alternative. Policy can be a savior but it has to rely on resource group naming convention or tags. It's not wise to use tags for RBAC assignments unless integrity of tags are maintained. It would be too risky! For comparison, we use wildcards in IAM policy and you can use wildcards on resource definition. Azure should be at par with AWS but it seems Azure is behind on Custom RBAC capabilities! – Prodip Jan 18 '23 at 04:22

1 Answers1

2

I agree with @Roderick Bant, it's not possible to use wildcards in assignable scopes.

I tried to reproduce the same in my environment and got below results:

I have few resource groups with naming convention starts with test in my subscription.

When I tried to create custom RBAC role by including wildcard in assignable scopes as test*, I got error like below:

PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/test*/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

{
    "properties": {
        "roleName": "MySampleCustomRole",
        "description": "My Sample Custom Role",
        "assignableScopes": [
            "/subscriptions/<subID>/resourceGroups/test*"
        ],
        "permissions": [{
                "actions": [],
                "notActions": [
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/disks/beginGetAccess/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
}

Response:

enter image description here

Use below CLI command to get the exact name of resource groups with naming convention test :

az group list --query "[?contains(name,'test')].name"

Response:

enter image description here

Instead of including wildcard in assignableScopes , the only way for now is to pass the above names one by one while creating custom RBAC role like below:

PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/testrg/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

{
    "properties": {
        "roleName": "MySampleCustomRole",
        "description": "My Sample Custom Role",
        "assignableScopes": [
            "/subscriptions/<subID>/resourceGroups/testrg",
            "/subscriptions/<subID>/resourceGroups/testsri",
            "/subscriptions/<subID>/resourceGroups/testdevi"
        ],
        "permissions": [{
                "actions": [],
                "notActions": [
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/disks/beginGetAccess/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
}

Response:

enter image description here

When I checked the same in Portal, the above custom role is available in only test* resource groups as mentioned in assignableScopes like below:

testrg: enter image description here

testsri: enter image description here

testdevi: enter image description here

When I checked the same in other resource groups from same subscription, custom role is not available like below:

enter image description here

Reference:

Azure custom role definition with special AssignableScopes - Stack Overflow by Joy Wang

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • 1
    @Sridevi- I love the way you respond, examples are validated in an environment. Thank you for the suggestion. Unfortunately, I can't use the list of resource group names because new groups are added in my environment. I was planning on granting the permissions at management group but deny the same at resource group level. Without the wildcard, RBAC role would be high maintenance. Hope Microsoft is listening to customers and they should add support for wildcard in assinableScopes. – Prodip Jan 19 '23 at 05:06
  • You can share your idea by posting in this [forum](https://feedback.azure.com/d365community/) to add support for wildcard in assignableScopes – Sridevi Jan 19 '23 at 05:12