Identify minimal set of Azure permissions required to deploy #57
Assignees
Labels
💡 feature request
New feature or request
Comments
|
Assuming that deployment is done in a resource group named either {
"id": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/<ROLE_DEFINITION_ID>",
"properties": {
"roleName": "MultiJuicerDev",
"description": "Role with minimal permission set required for working with the bouvet/nord-juice-shop solution (CTF deployment)",
"assignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/MultiJuicerTest",
"/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/MultiJuicer"
],
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/start/action",
"Microsoft.ContainerService/managedClusters/stop/action",
"Microsoft.ContainerService/managedClusters/abort/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/write",
"Microsoft.KeyVault/vaults/secrets/write",
"Microsoft.KeyVault/vaults/secrets/read",
"Microsoft.KeyVault/locations/deletedVaults/read",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/vaults/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/update/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/setSecret/action"
],
"notDataActions": []
}
]
}
} |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe Problem
We currently expect the user to have full access to the Azure subscription in question (i.e. Owner), as we have not outlined the required permission set for deployment.
We should identify and document all required permissions, in order to ensure that we use Azure IAM role grants with the permissions that are strictly required.
Suggest Solution
Additional Details
The text was updated successfully, but these errors were encountered: