Is it possible to use RBAC to allow read only access to an App Service's Application Settings?

Question

I would like provide read only access to an the Application Settings of an app service. Specifically by Application Settings of an App Service, I'm referring to the 4 tabs that appear when you open an App Service in the portal and select Configuration > Application settings from the menu:

[![enter image description here][1]][1]

My understanding is the built in reader role does not give access to these, while the built in contributor role does give write access to these. The built in contributor role seems to heavy handed of an approach.

I would have expected it to be something like:

{
    "id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxx",
    "properties": {
        "roleName": "Example Custom Reader",
        "description": "Build in Azure Reader role+ ability to read app service config",
        "assignableScopes": [
            "/subscriptions/bcd6dbed-c3ec-4951-bdbe-9aa6550a54dc"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.Web/sites/config/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}```

  [1]: https://i.stack.imgur.com/3LmBR.png

Anthony Norwood · Answer 1 · 2023-02-10T11:58:41.330

1

I believe you're looking for microsoft.web/sites/config/web/appsettings/read for a single Web App, and microsoft.web/sites/config/appsettings/read for all Web Apps

edited Feb 10 '23 at 11:58

answered Feb 10 '23 at 11:48

Anthony Norwood

357
1
7

Is it possible to use RBAC to allow read only access to an App Service's Application Settings?

1 Answers1