[OT] Assign app role in subscription
Folks, my Azure Portal pages have changed subtly sometime over recent months and I can no longer find a way of assigning a role to an app. It tooks hours to figure out how to do this a year ago and I wrote down instructions for myself, but they don't apply any more due to UI changes. I have created an App in the AD blade and I have its name, Id and secret. I want this app to have read access to my subscription so it can enumerate accounts, containers, etc. I go to the Subscriptions > IAM > Role Assignments. + Add Role Assignment > select *Reader* > at this point I expect Select members to offer me my app for the role, but it never appears in the list on the right. That's where I've been stuck for days now. I can't give my app the Reader role to my subscription. Are there any Azure portal boffins who know how to do this? Thanks, *Greg K*
Hey Greg, In the Select Members panel on the right, it'll show users and groups in the list by default, but doesn't show applications. You may just need to search for the application service principal by name. I traced these steps in one of my subscriptions and it found the application no worries - scroll down a bit to "Assign a role to the application": https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-creat... cheers, Tony On 8/05/2023 14:50, Greg Keogh via ozdotnet wrote:
Folks, my Azure Portal pages have changed subtly sometime over recent months and I can no longer find a way of assigning a role to an app. It tooks hours to figure out how to do this a year ago and I wrote down instructions for myself, but they don't apply any more due to UI changes.
I have created an App in the AD blade and I have its name, Id and secret. I want this app to have read access to my subscription so it can enumerate accounts, containers, etc.
I go to the Subscriptions > IAM > Role Assignments. + Add Role Assignment > select *Reader* > at this point I expect Select members to offer me my app for the role, but it never appears in the list on the right.
That's where I've been stuck for days now. I can't give my app the Reader role to my subscription. Are there any Azure portal boffins who know how to do this?
Thanks, /Greg K/
In the Select Members panel on the right, it'll show users and groups in the list by default, but doesn't show applications. You may just need to search for the application service principal by name.
This morning I sit down with a freshly booted brain, and I've fixed it. You're right! ... The list on the right does not list apps, so I started typing "S u b..." into the search box and my app with that name prefix appears, and I can give the role okay. Now I'm confused ... did I not previously start typing into the search box? I can't believe I wouldn't have tried that in recent days, but maybe during all the fumbling around I didn't ... I dunno. I assigned the role Reader to my app, but it died with permission failure trying to ListKeys (list the storage account keys). It's not obvious which Role I should use, so I gave-up and made it an Owner role and now it works (with overkill). *Greg* [image: image.png]
On Tue, 9 May 2023 at 08:27, Greg Keogh via ozdotnet <ozdotnet@ozdotnet.com> wrote:
In the Select Members panel on the right, it'll show users and groups in
the list by default, but doesn't show applications. You may just need to search for the application service principal by name.
This morning I sit down with a freshly booted brain, and I've fixed it. You're right! ... The list on the right does not list apps, so I started typing "S u b..." into the search box and my app with that name prefix appears, and I can give the role okay. Now I'm confused ... did I not previously start typing into the search box? I can't believe I wouldn't have tried that in recent days, but maybe during all the fumbling around I didn't ... I dunno.
I assigned the role Reader to my app, but it died with permission failure trying to ListKeys (list the storage account keys). It's not obvious which Role I should use, so I gave-up and made it an Owner role and now it works (with overkill).
Following the principle of least privilege**, in addition to Reader you probably want to look at Reader and Data Access <https://learn.microsoft.com/en-au/azure/role-based-access-control/built-in-r...> for Storage Accounts which provides for the following additional actions that should suit your needs. "Microsoft.Storage/storageAccounts/*listKeys/action*", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" **Note that if the application can read the storage key then, depending on your configuration in regard to allowing storage key access, the application may have full read/write access to the storage account even with read-only RBAC applied.
*Greg*
[image: image.png] -- ozdotnet mailing list To manage your subscription, access archives: https://codify.mailman3.com/
participants (3)
-
Greg Keogh -
Richard Carde -
Tony McGee