Azure Authorization Assignment

This page shows how to write Terraform and Azure Resource Manager for Authorization Assignment and write them securely.

azurerm_role_assignment (Terraform)

The Assignment in Authorization can be configured in Terraform with the resource name azurerm_role_assignment. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
aks-pod-identity-assignment.tf#L11
resource "azurerm_role_assignment" "kubelet_noderg_miop" {
  for_each = var.aks_clusters

  scope                = data.azurerm_resource_group.noderg[each.key].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id
identity.tf#L27
resource "azurerm_role_assignment" "pod-identity-assignment" {
  scope                = azurerm_resource_group.resourceGroup.id
  role_definition_name = "Reader"
  principal_id         = azurerm_user_assigned_identity.pod-identity.principal_id
}

podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id
podidentity-assignment.tf#L1
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
  for_each = module.caf.aks_clusters

  scope                = module.caf.managed_identities["ingress"].id
  role_definition_name = "Managed Identity Operator"
  principal_id         = each.value.kubelet_identity[0].object_id

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Assigns a given Principal (User or Group) to a given Role.

Tips: Best Practices for The Other Azure Authorization Resources

In addition to the azurerm_role_definition, Azure Authorization has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_role_definition

Ensure to grant targeted permissions for roles

It is better to avoid giving too many permissions to a role. By following the principle of least privilege, you can reduce the risk of credential leakage.

Review your Azure Authorization settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Authorization/roleAssignments (Azure Resource Manager)

The roleAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/roleAssignments. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

AccessControlTest.test_find_assignments_by_resources.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_role.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
roles.json#L15
    "type": "Microsoft.Authorization/roleAssignments"
  },
  {
    "canDelegate": null,
    "condition": null,
    "conditionVersion": null,
AccessControlTest.test_find_assignments_by_resources.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_resources.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_resources.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_role.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_resources.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_role.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
AccessControlTest.test_find_assignments_by_role.json#L51
                                "type": "Microsoft.Authorization/roleAssignments",
                                "name": "af976bc5-0274-4870-8442-94daae0d29a1"
                            },
                            {
                                "properties": {
                                    "roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • properties required
      • roleDefinitionId optional - string

        The role definition ID used in the role assignment.

      • principalId optional - string

        The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.

Frequently asked questions

What is Azure Authorization Assignment?

Azure Authorization Assignment is a resource for Authorization of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Authorization Assignment?

For Terraform, the SamPoddar/caf-terraform-landingzones-starter, Elgeario/Starter and joshfranzen/caf-terraform-landingzones-starter source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the LRuttenCN/cloud-custodian, LRuttenCN/cloud-custodian and juggernauthk108/pastebin source code examples are useful. See the Azure Resource Manager Example section for further details.