Wilfried Woivré

Cloud Solution Architect - MVP Microsoft Azure

Azure RBAC - Extraire toutes les permissions d'un role

Categories : Azure Azure


L’une des choses les plus importantes dans le Cloud (tous les fournisseurs) et de gérer l’authentification des personnes accédant à nos assets. Et bien entendu la meilleure pratique consiste à mettre en place des permissions avec uniquement les droits nécessaires et suffisants pour réaliser les opérations.

Dans Azure, c’est n’est pas une exception, et Microsoft fournit une multitude de rôle built-in pour vous aider à sécuriser votre infrastructure. Et bien entendu, il n’existe pas que les sempiternels rôle “Owner”, “Contributor” ou “Reader” dans Azure, mais plus de 200 rôles différents.

Si je prends pour exemple le rôle Key Vault Contributor, Microsoft fourni cette définition:

{
    "Name":  "Key Vault Contributor",
    "Id":  "f25e0fa2-a7c8-4377-a976-54943a77a395",
    "IsCustom":  false,
    "Description":  "Lets you manage key vaults, but not access to them.",
    "Actions":  [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.KeyVault/*",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Support/*"
                ],
    "NotActions":  [
                       "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                       "Microsoft.KeyVault/hsmPools/*",
                       "Microsoft.KeyVault/managedHsms/*"
                   ],
    "DataActions":  [

                    ],
    "NotDataActions":  [

                       ],
    "AssignableScopes":  [
                             "/"
                         ]
}

Comme vous pouvez le voir, vous avez différentes permissions finissants par une étoile, c’est une bonne idée car lorsque Microsoft fourni une nouvelle fonctionnalité lié à KeyVault, ils n’ont pas besoin de mettre à jour la définition du rôle.

Mais maintenant d’un point de vue sécurité, il est possible que vous souhaitiez bloquer différentes fonctionnalités pour vos utilisateurs et sûrement certaines fonctionnalités futures. Donc vous ne pouvez utiliser le rôle fourni par Microsoft, et un simple copier coller du rôle ne suffira à créer un rôle avec des moindres privilèges.

Voici pour vous aider, un petit script en powershell qui vous permettra de créer un nouveau rôle Azure avec les mêmes droits que votre rôle initial à un instant T, mais sans aucune étoile dans les permissions :

$role = Get-AzRoleDefinition 'Key Vault Contributor'

$role.IsCustom = $true
$role.Name = "Custom $($role.Name)"
$role.Id = ''

$actions = @()
$role.Actions | % { Get-AzProviderOperation $_ | % { $actions += $_.Operation } }
$role.Actions.Clear()
$actions | Select -Unique | % { $role.Actions.Add($_) }


$dataActions = @()
$role.DataActions | % { Get-AzProviderOperation $_ | % { $dataActions += $_.Operation } }
$role.DataActions.Clear()
$dataActions | Select -Unique | % { $role.DataActions.Add($_) }


$notActions = @()
$role.NotActions | % { Get-AzProviderOperation $_ | % { $notActions += $_.Operation } }
$role.NotActions.Clear()
$notActions | Select -Unique | % { $role.NotActions.Add($_) }


$notDataActions = @()
$role.NotDataActions | % { Get-AzProviderOperation $_ | % { $notDataActions += $_.Operation } }
$role.NotDataActions.Clear()
$notDataActions | Select -Unique | % { $role.NotDataActions.Add($_) }

$role | ConvertTo-Json

Ici, je remplace donc toutes les permissions par leur nom complet. Et le tout grâce à la méthode Get-AzProviderOperation !

Et voici mon nouveau rôle, il est certes très long, mais vous n’aurez pas de surprises à l’avenir :

{
    "Name":  "Custom Key Vault Contributor",
    "Id":  "",
    "IsCustom":  true,
    "Description":  "Lets you manage key vaults, but not access to them.",
    "Actions":  [
                    "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/locks/read",
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/denyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read",
                    "Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read",
                    "Microsoft.Authorization/policyAssignments/privateLinkAssociations/read",
                    "Microsoft.Authorization/policyExemptions/read",
                    "Microsoft.Insights/AlertRules/Write",
                    "Microsoft.Insights/AlertRules/Delete",
                    "Microsoft.Insights/AlertRules/Read",
                    "Microsoft.Insights/AlertRules/Activated/Action",
                    "Microsoft.Insights/AlertRules/Resolved/Action",
                    "Microsoft.Insights/AlertRules/Throttled/Action",
                    "Microsoft.Insights/AlertRules/Incidents/Read",
                    "Microsoft.KeyVault/register/action",
                    "Microsoft.KeyVault/unregister/action",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/write",
                    "Microsoft.KeyVault/vaults/delete",
                    "Microsoft.KeyVault/vaults/deploy/action",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.KeyVault/vaults/secrets/write",
                    "Microsoft.KeyVault/vaults/secrets/delete",
                    "Microsoft.KeyVault/vaults/secrets/backup/action",
                    "Microsoft.KeyVault/vaults/secrets/purge/action",
                    "Microsoft.KeyVault/vaults/secrets/update/action",
                    "Microsoft.KeyVault/vaults/secrets/recover/action",
                    "Microsoft.KeyVault/vaults/secrets/restore/action",
                    "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
                    "Microsoft.KeyVault/vaults/secrets/getSecret/action",
                    "Microsoft.KeyVault/vaults/secrets/setSecret/action",
                    "Microsoft.KeyVault/vaults/accessPolicies/write",
                    "Microsoft.KeyVault/operations/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/locations/deletedVaults/read",
                    "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                    "Microsoft.KeyVault/locations/operationResults/read",
                    "Microsoft.KeyVault/locations/deleteVirtualNetworkOrSubnets/action",
                    "Microsoft.KeyVault/hsmPools/read",
                    "Microsoft.KeyVault/hsmPools/write",
                    "Microsoft.KeyVault/hsmPools/delete",
                    "Microsoft.KeyVault/hsmPools/joinVault/action",
                    "Microsoft.KeyVault/vaults/eventGridFilters/read",
                    "Microsoft.KeyVault/vaults/eventGridFilters/write",
                    "Microsoft.KeyVault/vaults/eventGridFilters/delete",
                    "Microsoft.KeyVault/vaults/certificatecas/delete",
                    "Microsoft.KeyVault/vaults/certificatecas/read",
                    "Microsoft.KeyVault/vaults/certificatecas/write",
                    "Microsoft.KeyVault/vaults/certificatecontacts/write",
                    "Microsoft.KeyVault/vaults/certificates/delete",
                    "Microsoft.KeyVault/vaults/certificates/read",
                    "Microsoft.KeyVault/vaults/certificates/backup/action",
                    "Microsoft.KeyVault/vaults/certificates/purge/action",
                    "Microsoft.KeyVault/vaults/certificates/update/action",
                    "Microsoft.KeyVault/vaults/certificates/create/action",
                    "Microsoft.KeyVault/vaults/certificates/import/action",
                    "Microsoft.KeyVault/vaults/certificates/recover/action",
                    "Microsoft.KeyVault/vaults/certificates/restore/action",
                    "Microsoft.KeyVault/vaults/keys/read",
                    "Microsoft.KeyVault/vaults/keys/write",
                    "Microsoft.KeyVault/vaults/keys/update/action",
                    "Microsoft.KeyVault/vaults/keys/create/action",
                    "Microsoft.KeyVault/vaults/keys/import/action",
                    "Microsoft.KeyVault/vaults/keys/recover/action",
                    "Microsoft.KeyVault/vaults/keys/restore/action",
                    "Microsoft.KeyVault/vaults/keys/delete",
                    "Microsoft.KeyVault/vaults/keys/backup/action",
                    "Microsoft.KeyVault/vaults/keys/purge/action",
                    "Microsoft.KeyVault/vaults/keys/encrypt/action",
                    "Microsoft.KeyVault/vaults/keys/decrypt/action",
                    "Microsoft.KeyVault/vaults/keys/wrap/action",
                    "Microsoft.KeyVault/vaults/keys/unwrap/action",
                    "Microsoft.KeyVault/vaults/keys/sign/action",
                    "Microsoft.KeyVault/vaults/keys/verify/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/read",
                    "Microsoft.KeyVault/vaults/storageaccounts/set/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/delete",
                    "Microsoft.KeyVault/vaults/storageaccounts/backup/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/purge/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/regeneratekey/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/recover/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/restore/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/sas/set/action",
                    "Microsoft.KeyVault/vaults/storageaccounts/sas/delete",
                    "Microsoft.KeyVault/managedHSMs/read",
                    "Microsoft.KeyVault/managedHSMs/write",
                    "Microsoft.KeyVault/managedHSMs/delete",
                    "Microsoft.KeyVault/vaults/keys/versions/read",
                    "Microsoft.Resources/deployments/read",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/deployments/delete",
                    "Microsoft.Resources/deployments/cancel/action",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/whatIf/action",
                    "Microsoft.Resources/deployments/exportTemplate/action",
                    "Microsoft.Resources/deployments/operations/read",
                    "Microsoft.Resources/deployments/operationstatuses/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Support/register/action",
                    "Microsoft.Support/checkNameAvailability/action",
                    "Microsoft.Support/supportTickets/read",
                    "Microsoft.Support/supportTickets/write",
                    "Microsoft.Support/services/read",
                    "Microsoft.Support/services/problemClassifications/read",
                    "Microsoft.Support/supportTickets/communications/read",
                    "Microsoft.Support/supportTickets/communications/write",
                    "Microsoft.Support/operationresults/read",
                    "Microsoft.Support/operationsstatus/read",
                    "Microsoft.Support/operations/read"
                ],
    "NotActions":  [
                       "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                       "Microsoft.KeyVault/hsmPools/read",
                       "Microsoft.KeyVault/hsmPools/write",
                       "Microsoft.KeyVault/hsmPools/delete",
                       "Microsoft.KeyVault/hsmPools/joinVault/action",
                       "Microsoft.KeyVault/managedHSMs/read",
                       "Microsoft.KeyVault/managedHSMs/write",
                       "Microsoft.KeyVault/managedHSMs/delete"
                   ],
    "DataActions":  [

                    ],
    "NotDataActions":  [

                       ],
    "AssignableScopes":  [
                             "/"
                         ]
}