Reputation: 950
Deny permissions to execute PowerShell Get-AzAutomationCertificate
I am trying to create a custom reader role on Azure that does not allow the user to run the PowerShell command Get-AzAutomationCertificate. I have gone through the options and removed quite a few permissions related to reading certificates from the automation service provider. However, it appears it is still not enough.
These are the deny options present in the custom role :
"notActions": [
"Microsoft.Automation/automationAccounts/listKeys/action",
"Microsoft.Automation/automationAccounts/certificates/read",
"Microsoft.Automation/automationAccounts/certificates/getCount/action",
"Microsoft.Automation/automationAccounts/jobs/read",
"Microsoft.Automation/automationAccounts/jobs/runbookContent/action",
"Microsoft.Automation/automationAccounts/credentials/read",
"Microsoft.Automation/automationAccounts/runbooks/content/read",
"Microsoft.Automation/automationAccounts/runbooks/read",
"Microsoft.Automation/automationAccounts/python2Packages/read",
"Microsoft.Automation/automationAccounts/python3Packages/read",
"Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/read",
"Microsoft.Automation/automationAccounts/connections/read",
"Microsoft.Automation/automationAccounts/connectionTypes/read
]
More details about the command : https://github.com/Azure/azure-powershell/blob/master/src/Automation/Automation/help/Get-AzAutomationCertificate.md
Any ideas on how to achieve this?
Thank you
Upvotes: 0
Views: 153
Answers (1)
Reputation: 16438
Firstly, I would like to clarify that the NotActions permission specifies the management operations that are excluded from the allowed Actions. See reference here.
So if the Action is not included in Actions, it's unnecessary to put it into NotActions in order to make it lose effectiveness. In this case, the user will not have the permission to do the action.
The action "Microsoft.Automation/automationAccounts/certificates/read" is what you want to make the PowerShell command Get-AzAutomationCertificate effective. Please note that it allows Get-AzAutomationCertificate to be executed but won't return results.
Here is my example:
{
"Name": "Custom Role 2",
"Id": null,
"IsCustom": true,
"Description": "Don't allow for Get-AzAutomationCertificate",
"Actions": [
"Microsoft.Automation/automationAccounts/certificates/read",
"Microsoft.Automation/automationAccounts/read"
],
"NotActions": [
"Microsoft.Automation/automationAccounts/certificates/read"
],
"AssignableScopes": [
"/subscriptions/{subscription id}"
]
}
Please pay attention to the note in above link:
If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.
After you update the custom role and assign it to the user, you should reopen an PowerShell window and re-login with the user. Then it will work for you.
Upvotes: 1
Related Questions
- How to grant a service principal permissions to run Get-AZroleassignments? from azure devops pipeline
- How can I established credentials in PowerShell script running in an Azure Automation Account
- Insufficient privileges executing Azure function cmdlet Get-AzADAppCredential
- Azure Automation: Get-AzKeyVaultKey : Operation returned an invalid status code 'Forbidden
- Azure Automation - Unable to get AzRoleAssignement
- How to give Azure AD application access to required permissions using powershell Az module
- How to determine which API Permissions are necessary to run a particular Azure PowerShell command?
- Azure Powershell : Get-AzureKeyVaultSecret : Operation "get" is not allowed
- Azure automation - credentials delivered by Get-PSAutomationCredential don't work with Add-AzureAccount?
- Get-AzureRmADApplication shows no permissions