0

How does one go about translating an Azure permissions error message into the actual permissions needed to solve the problem?

I'm getting an error message when trying to run a WebJob:

The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/sites/[redacted]/config/publishingcredentials'

Based on this information, how do I determine which role to add, and where?

Note: I do NOT want to grant Contributor access to my registered application. I see that such advice is provided in this answer, but I consider that to be a sloppy approach to security; I prefer the 'least privilege' rule in these matters.

My question is about how to translate the information from the error message (e.g. "Microsoft.Web/sites/config/list/action") into the actual IAM permissions I must grant to my application.

Basically I'm looking for something like this, but for Azure instead of AWS.

InteXX
  • 6,135
  • 6
  • 43
  • 80

1 Answers1

1

You can copy Microsoft.Web/sites/config/list/action from error message and search if any built-in RBAC role exists with that permission.

There is one built-in RBAC role named Website Contributor having Microsoft.Web/sites/* permission that manages websites.

As you prefer least privileges, you can assign Website Contributor role to the registered application under your App service or Resource group based on scope from error like below:

enter image description here

Alternatively, you can also create one custom RBAC role with Microsoft.Web/sites/config/list/action permission under your subscription like below:

enter image description here

You can leverage existing built-in role by cloning it like this:

enter image description here

In Permissions tab, you can either add or remove permissions based on your requirement like below:

enter image description here

In Assignable scopes tab, select scope that can be either resource group or subscription in which your App Service exists like this:

enter image description here

After creating the above custom role, you can assign it to the registered application under your App service or Resource group like below:

enter image description here

Reference: Azure custom roles - Azure RBAC | Microsoft

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Thank you, that got me past the first set of gates. But now I've hit the [next snag](https://stackoverflow.com/q/76651172) in line. What do you suggest? What is meant by that `providers/Microsoft.Web/serverfarms/basic` reference? – InteXX Jul 10 '23 at 06:33
  • Website Contributor manages **only** websites not web plans. The `providers/Microsoft.Web/serverfarms/basic` permission is related to **Web plans** that won't work with Website Contributor role. To resolve the error, try assigning **Web Plan Contributor** role also to the registered application under your `Resource group` – Sridevi Jul 10 '23 at 08:07