Enforcing role-based access control (RBAC) in Azure resources
TypeScriptRole-Based Access Control (RBAC) in Azure is a method of restricting system access to authorized users. It is an important security feature that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC is implemented in Azure using Azure Role Assignments, which can be applied to resources, resource groups, subscriptions, or the entire management group level.
When implementing RBAC, you assign roles to users, groups, service principals, or managed identities. Roles like Owner, Contributor, and Reader determine what actions the assignees can perform. Azure also allows you to create custom roles to handle special scenarios.
Below is a Pulumi TypeScript program that defines a resource group in Azure and assigns an RBAC role of "Reader" to a principal (user, group, service principal, managed identity). You'll need the object ID of the principal to which you want to assign the role.
import * as azure from "@pulumi/azure"; import * as pulumi from "@pulumi/pulumi"; // Create an Azure Resource Group const resourceGroup = new azure.core.ResourceGroup("myResourceGroup", { location: "West US", }); // Assign the Reader role to a principal for the scope of the entire Resource Group const principalId = "principal-guid-here"; // Replace with the actual principal ID const roleAssignment = new azure.authorization.RoleAssignment("myRoleAssignment", { scope: resourceGroup.id, roleDefinitionName: "Reader", principalId: principalId, }, { dependsOn: [resourceGroup] }); // Export the Resource Group name and the Role Assignment ID export const resourceGroupName = resourceGroup.name; export const roleAssignmentId = roleAssignment.id;
Let's walk through the code:
- We import the
@pulumi/azure
and@pulumi/pulumi
packages to interact with Azure resources and the Pulumi SDK, respectively. - We create an Azure Resource Group named
myResourceGroup
in the "West US" region. TheResourceGroup
class is used for this from the@pulumi/azure/core
module. - We assign the
Reader
role to our principal (the principal's unique identifier needs to be provided in place of"principal-guid-here"
). For this, we use theRoleAssignment
class from the@pulumi/azure/authorization
module. - We specify the scope of the role assignment to our previously created resource group by providing
resourceGroup.id
. - The role definition name
"Reader"
is a built-in role that grants read-only access. - We use the
dependsOn
field to ensure that the role assignment is not created until after the resource group has been fully deployed, which avoids race conditions. - Finally, we export the resource group name and the role assignment ID, which can be useful for reference and in CI/CD environments.
Replace
"principal-guid-here"
with the actual GUID of the Azure AD principal that you want to assign the role to. This could be a User, a Group, a Service Principal, or a Managed Identity.For more advanced scenarios and custom roles, you would similarly use Pulumi's
RoleDefinition
class to create custom role definitions. This is also where you would specify your own set of permissions if the built-in roles do not meet your requirements.Remember that to run this Pulumi program, you must have the Azure CLI installed and configured with credentials that have sufficient permissions to create resources and assign roles in the Azure subscription you're using.
- We import the