Setting up RBAC on Azure VM to manage disk encryption permissions
TypeScriptRole-Based Access Control (RBAC) in Azure is used to provide fine-grained access management for resources in Azure. When setting up RBAC for an Azure VM to manage disk encryption permissions, you would typically perform the following steps:
- Create an Azure Disk Encryption Set: This resource represents a set of disk encryption keys that are used to encrypt the virtual machine's disks.
- Assign a Role to a Principal (User/Group/Service Principal): You define permissions to manage the disk encryption by assigning a role to a user, group, or service principal. The role defines what actions the assigned principal can perform on the disk encryption set or the disks.
In Pulumi, to provision these resources and set up the role assignments, you would:
- Define a
DiskEncryptionSet
resource that specifies the encryption key. - Use an
azure-native.authorization.RoleAssignment
resource to assign a role to a principal for the disk encryption set.
Below is a Pulumi program written in TypeScript which sets up RBAC for an Azure VM, with a focus on managing disk encryption permissions.
import * as azure from "@pulumi/azure-native"; const resourceGroupName = "myResourceGroup"; const location = "WestUS"; // Create an Azure resource group, if it doesn't already exist const resourceGroup = new azure.resources.ResourceGroup("myResourceGroup", { resourceGroupName: resourceGroupName, location: location, }); // Create a Disk Encryption Set for the VM const encryptionSet = new azure.compute.DiskEncryptionSet("myEncryptionSet", { resourceGroupName: resourceGroupName, encryptionType: "EncryptionAtRestWithCustomerKey", // Specifies the type of key used for encryption. // The keyVaultKey is the Key Vault Key or Managed HSM Key which is used to encrypt // You would replace the placeholder with the actual ID of your key from Key Vault keyVaultKeyId: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.KeyVault/vaults/{vault-name}/keys/{key-name}/{key-version}", location, // Assigns a managed identity for the Disk Encryption Set (required for decrypting the disks) identity: { type: "SystemAssigned", }, }); // Role definition for Disk Encryption Operator - this role allows managing disk encryption, but not access to the actual keys const roleDefinitionId = `/subscriptions/${azure.config.subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a256e2f2-41d0-4d13-9f75-4a84f6cca5a5`; // Role assignment to a principal (user, group, or service principal) const roleAssignment = new azure.authorization.RoleAssignment("myRoleAssignment", { scope: resourceGroup.id, // Apply the role assignment to the resource group scope roleDefinitionId: roleDefinitionId, principalId: "principal-guid", // Replace with the principal ID you wish to assign the role to // The following depends on the type of principal you're assigning the role to principalType: "ServicePrincipal", // Options include 'User', 'Group', 'ServicePrincipal' }); export const encryptionSetId = encryptionSet.id; export const roleAssignmentId = roleAssignment.id;
To use the code:
- Install the Pulumi CLI and set up the Azure provider.
- Replace the
resourceGroupName
,location
,keyVaultKeyId
, andprincipalId
with your specific details. - The above code assumes the encryption keys are already set up in an Azure Key Vault, and you're using a system-assigned managed identity. The managed identity is required for Key Vault to permit the Disk Encryption Set to unwrap keys for encrypting disks.
- The
roleDefinitionId
is the identifier for a built-in role suitable for disk encryption - the Disk Encryption Operator role. A custom role definition with specific permissions can also be used. - After deploying this Pulumi program, the specified principal will have the necessary permissions to manage the disk encryption for the virtual machine in this resource group, without having access to the actual encryption keys.
Remember to replace placeholder values like subscription IDs, resource group names, vault names, key names, and principal GUIDs with actual values from your Azure subscription.
This script can be run using the Pulumi CLI by executing
pulumi up
within the directory where the script is saved (the directory should contain thePulumi.yaml
and possiblyPulumi.{stack-name}.yaml
files). This will create or update the resources in Azure according to your script.