Reputation: 3190
How to deploy an ARM Template without granting ownership over the entire subscription?
I want to use a service principal to deploy a single ARM template to our Azure account.
I cannot find documentation for how to grant the least possible privilege, but it appears the only way to make this work is to grant contributor on the subscription.
Is there a way to limit the role on my service principal to only deploy ARM Templates or at the very least limit it to a single resource group?
Upvotes: 1
Views: 746
Answers (3)
Reputation: 766
The open source az-mpf utility (Azure deployments Minimum Permissions Finder, for ARM, bicep and terraform) finds the minimum permissions required by a Service Principal to deploy a given ARM template, bicep or terraform module. One Approach would be to get the details from this utility, and then decide whether you need to assign permission using a built in role/s like contributor at a resource group level / at a resource level / a custom role /a combination of roles.
The permissions for a complex ARM template can look like https://github.com/maniSbindra/az-mpf#complex-arm-template-sample
Upvotes: 0
Reputation: 72171
actually, for each template you can figure out the minimum possible permissions by looking at the template, they would be resourcetype + /write. and the permissions to create deployments Microsoft.Resources/deployments/write.
but its really easier to just give a person contributor over the resource group. if you are concerned about security you can use Privileged Identity Management in Azure AD
Upvotes: 3
Reputation: 828
In the access control (IAM) section under a Resource group you can make the service principle you created 'Contributer'. this will make sure that that user can only deploy resources within that resource group. This way the account doesn't need any permissions on the subscription level.
When you go to the Access Control section click Add, and select "Add role Assignment"
In the panel that shows you can select the role "Contributer" and lookup the Service principle you created. Then click 'Save' to finish and you should be good to go
I tend to make service connections (with separate Service Principles) in DevOps per environment this makes it clear what resources you can touch and prevents people from accidentally deploying to incorrect locations from a pipeline because the typed in the wrong resource group name.
Upvotes: 0
Related Questions
- Is there a way to deploy ARM template on every new subscription
- Azure - ARM Template deployment
- How to deploy a ARM template at the subscription scope using Azure Java SDK?
- Deploy ARM Templates Without DependsOn under Specific Subscription of Specified resource group
- How to deploy ARM template with user managed identity and assign a subscription level role?
- Can I apply permissions through an ARM template?
- How I can directly deploy ARM template as solution template in Azure marketplace
- Azure ARM template deployment
- How to deploy an arm template from Azure storage?
- Publish ARM templates in azure portal