Role-Based Access Control with Azure AD Group Membership

Question

Pulumi · Accepted Answer

Role-Based Access Control (RBAC) is a method for restricting system access to authorized users. It's an approach to regulate who has access to what resources within a system or environment. Azure Active Directory (AD) Group Membership can be used in conjunction with RBAC to manage user permissions efficiently. When integrated with Azure, users assigned to AD Groups can be granted or denied access to Azure resources based on the role assigned to the group.

In Azure, RBAC is applied through the assignment of roles to Azure resources. These roles define what actions are allowed to be performed by members of an AD Group. For example, you can have a "Reader" role that allows for viewing resources, but not modifying them. Similarly, a "Contributor" role allows for creating and managing resources. Azure provides many built-in roles, and you can also define custom roles to fit your organization's needs.

To implement RBAC with AD Group Membership, you would typically:

Create or identify an Azure AD Group that should have access to a particular resource or set of resources.
Assign the appropriate RBAC role to that AD Group for those resources.

Using Pulumi, we can automate the creation of Azure resources, the creation of an AD Group, and the assignment of RBAC roles to that group. In our Pulumi program, we would typically perform the following steps:

Establish an Azure Resource Group to contain our resources.
Define the Azure AD Group.
Assign RBAC roles to the AD Group for the necessary resources within our Resource Group.

Here is a Pulumi program written in Python that demonstrates how to implement this:

import pulumi
import pulumi_azure_native as azure_native

# Create an Azure Resource Group
resource_group = azure_native.resources.ResourceGroup("my-resource-group")

# Create an Azure AD Group (Note: creating AD Groups directly via Pulumi is currently not supported,
# so you would typically need to create this outside Pulumi or reference an existing group)

# Define a new Azure Role Assignment for the AD Group.
# Replace '<Azure-AD-Group-Object-ID>' with the Object ID of your Azure AD Group.
# The role definition ID refers to the Contributor role here, change as necessary.
role_assignment = azure_native.authorization.RoleAssignment("role-assignment",
    principal_id='<Azure-AD-Group-Object-ID>',                 # AD Group's Object ID
    role_definition_id='/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', # Contributor role definition ID
    scope=f"/subscriptions/{resource_group.id}/resourceGroups/my-resource-group"  # Scope at the resource group level
)

# Export the resource group name and role assignment ID
pulumi.export('resource_group_name', resource_group.name)
pulumi.export('role_assignment_id', role_assignment.id)

In the above script:

We create an Azure Resource Group named "my-resource-group". Resource groups in Azure are used to manage Azure resources.
We are assuming that you have an Azure AD Group with a known Object ID, as Pulumi does not currently support creating Azure AD Groups directly as of my knowledge cutoff in 2023. You will need to replace '<Azure-AD-Group-Object-ID>' with the actual Object ID of your AD Group.
A Role Assignment is created to give the specified AD Group "Contributor" permissions to the resource group. The "Contributor" role permits the group to create and manage resources but not to grant access to others. Notice that the role_definition_id specifies the built-in Contributor role.
The scope for the role assignment is at the level of the entire resource group, denoted by /subscriptions/{resource_group.id}/resourceGroups/my-resource-group. You can replace this to set a different scope if desired.
Finally, we export the resource group name and the role assignment ID for reference.

Please ensure you replace the placeholders <Azure-AD-Group-Object-ID> and {subscriptionId} with actual values from your Azure subscription. To obtain these values, you can typically use the Azure Portal or CLI to query for the group's information and your subscription ID.