Reputation: 53
Azure deployment slots RBAC
I need to give different level of access to different users (or groups) on an Azure WebApp and its deployment slots.
If I give a user access to only a deployment slot, he cannot see it on the Azure Management Portal.
If I give a user access as "Reader" to the entire web app, he can change application settings (it was not supposed to happen)
If I give a user access as "Reader" to the entire web app and as "Owner" to a particular slot, he can change application settings and he can swap the LIVE app (both they were not supposed to happen)
Someone can explain to me how to give "Owner" permission only to a deployment slot and not to the whole application? Thanks!
Upvotes: 2
Views: 2446
Answers (1)
Reputation: 43193
I'll tackle the 3 questions below
If I give a user access to only a deployment slot, he cannot see it on the Azure Management Portal
It's a portal bug (it will get fixed). Luckily, there is a workaround which is not too painful:
- While logged on as the owner, go to the slot in the portal. The URL will look like this:
https://portal.azure.com/#resource/subscriptions/{sub}/resourceGroups/{ResourceGroup}/providers/Microsoft.Web/sites/{AppName}/slots/{SlotName}
- Copy the URL and send it to your user
- They'll then be able to go straight to the slot, even though they can't access the Web App. They'll even be able to 'pin' it to their dashboard, so they can easily find it next time without having to go back to the link.
If I give a user access as "Reader" to the entire web app, he can change application settings
It just looks that way due to another Portal bug, but they really can't. e.g.
- they won't be able to see any of the current settings
- if they change something, it says the Save is successful, but in fact nothing happens
The Portal team is aware of it and will address it. But security wise, it is harmless.
If I give a user access as "Reader" to the entire web app and as "Owner" to a particular slot, he can swap the LIVE app
That sounds like a bug and I will report it. Good catch!
The good news is that if you don't give them Reader access to the Web App, they won't be able to do this. So just use the technique I described in the first question, and everything should work fine for your scenario
Upvotes: 3
Related Questions
- Deployment slot has empty contents for Azure App Service
- Azure Functions Deployment Slots best practice - App Plan also swaps on slots swap
- Azure WebJobs and Deployment Slots
- Deployment slots in Azure FunctionApp
- 503/417 errors on Azure webapp deployment
- How do deployment slot settings work on an Azure App Service?
- Azure Deployment Slots with multiple websites hosted under one App Service plan
- How to fix Azure Deployment slots issue for App Service?
- Azure deployment slots and database migrations
- Azure web app - Additional deployment slots affect production slot?