Manage Access to Azure With Role-Based Access Control
Introduction
In this Lab Step, you will open the New-CustomRole.ps1 PowerShell script that contains the commands needed for this Lab. You will open the script using the PowerShell Integrated Scripting Environment (ISE) editor.
Instructions
1. Open a PowerShell terminal in your RDP session by clicking the magnifying glass search icon in the lower-left corner, entering Powershell, and clicking Windows PowerShell:
2. Enter the following commands to download the bootstrap script for the Lab onto your desktop:
Copy code$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/cloudacademy/azure-lab-provisioners/master/custom-rbac/bootstrap.ps1" `
-OutFile C:\Users\student\Desktop\script.ps1 -UseBasicParsing
The backtick ` at the end of the Invoke-WebRequest line tells PowerShell the command is spread over multiple lines.
3. Right-click the script.ps1 file on your desktop and select Run with PowerShell:
4. Answer A (Yes to All) to any confirmation prompts and let the script run to completion until the blue PowerShell window closes on its own. The script installs the Azure PowerShell module:
The window will close once the installation is finished. It takes a few minutes to complete.
5. Close the remaining PowerShell window.
6. Click the File Explorer icon in the bottom Taskbar:
7. Browse to C:\Scripts (This PC > Local Disk (C:) > Scripts) in File Explorer:
8. Right-click on the C:\Scripts\New-CustomRole.ps1 file and choose Edit to launch the PowerShell ISE editor:
9. You should see the code with syntax highlighting in the Windows PowerShell ISE similar to the image below:
In the PowerShell ISE, the top-half displays the code editor and the bottom-half displays the actual PowerShell command window where you run commands and view output. You will walk through the script highlighting particular lines of code and only running that selection of code. You may highlight any number of lines of code and press F8 to run the selection. Alternatively, you may use the Run Selection button in the editor toolbar to run the selected code:
Warning: Don't make the mistake of clicking the first Run Script play button which runs the entire script from start to finish. Make sure you always use the middle Run Selection button or press F8.
Connecting to Azure via PowerShell
Introduction
In this Lab Step, you will use the PowerShell script to connect to your Azure account. You must make the connection so that following PowerShell commands are made as authenticated requests using the account you provide.
Instructions
1. Find your SubscriptionId in the Azure Portal. In the Azure Portal type subscriptions in the search field near the top:
2. Take note of the SubscriptionId and copy it to your clipboard as you will be using this in the PowerShell script:
3. Go back to the PowerShell script and look for the Add-AzAccount cmdlet and replace the placeholder SubscriptionId with your Subscription Id:
4. Select or highlight the entire line that contains Add-AzAccount and press F8, or click the Run Selection button in the toolbar.
5. You will be prompted to enter your Azure student credentials. Enter the same credentials you used to connect to the Azure Portal:
- Username: student-567-569372@labscloudacademy.onmicrosoft.com
- Password: Ca1_unnQ25hf
6. Notice in the PowerShell command window below the script editor, the command you selected to run displays along with the result that looks similar to the following:
Summary
In this Lab Step, you used the PowerShell script to connect to your Azure account with the appropriate SubscriptionId you've verified from the Azure Portal.
Creating a Custom Role in PowerShell
Introduction
For situations where the built-in Azure roles don't meet your requirements, you can create a custom role. You can have up to 2000 custom roles in a single Azure Active Directory (Azure AD) tenant. Custom roles can be created using PowerShell, as well as the Azure command-line interface (CLI) and the Azure REST API. You need to consider the following access control properties when defining a custom role:
- Actions: A collection of operations to which the role grants access. Operations take the form of Microsoft.<ProviderName>/<ChildResourceType>/<action>. Wildcards (*) can be used in the operation string to grant access to all operations matching the wildcard pattern.
- NotActions: A collection of operations to exclude from the Actions collection. The role grants access to operations that are included in Actions, but excludes operations included in NotActions. NotActions are useful when it is easier to define access in terms of what a role should exclude. It is important to note that NotActions do not necessarily deny a user's access, only the specific role's access. For example, if a user is assigned to two roles then the NotActions of one role do not deny the Actions of the other role.
- AssignableScopes: The scopes where the custom role is assignable. The scopes can be at the subscription, resource group, or resource level. Each subscription can contain multiple resource groups, and each resource group can contain multiple resources. Assigning a subscription scope allows the role to be assigned anywhere in the subscription including resource groups and resources. Similarly, assigning a resource group scope allows the role to be assigned to resources in the resource group.
In this Lab Step, you will step through the provided PowerShell script to create a custom role using PowerShell.
Instructions
1. In PowerShell ISE, place your cursor on the line beginning with $SubscriptionId and press F8 or click the Run Selection button:
This uses the Azure PowerShell Get-AzureRmSubscription command to store the Id property of the subscription in a variable.
2. Move your cursor down to the next code line and run the selection:
The Get-AzureRmRoleDefinition retrieves the Network Contributor role and stores it in a variable. You will modify the Network Contributor role to make your custom role.
3. Run the next code line to clear the Id of the role:
You must clear the Id in order to avoid a duplicate Id conflict when you create the new role. Azure will automatically generate a new Id for the role when it is not specified.
4. Select and run the next two lines to give a descriptive Name and Description to the custom role:
The role is going to be similar to the Network Contributor role with one operation excluded.
5. Run the next line to empty the Actions collection:
6. Highlight the following $role.Actions.Add lines, and run the selection to add operations that the role should grant access to:
These are the same operations that the Network Contributor role grants access to plus virtual machine read access. The Microsoft.Network/* operation string grants full access to all network resources.
7. Run the next code line to exclude one operation among all the network operations:
The Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action allows you to determine the effective network security group (NSG) for a network interface. The effective NSG is the result of combining the NSG of a network interface with the NSG of the subnet the network interface is in. You will observe the effective NSG for the network interface in an upcoming Lab Step.
8. Move your cursor down to the next code line and run the selection to clear the AssignableScopes collection:
9. Run the next line to add your subscription as an AssignableScope:
10. Run the final line of code to create the custom role:
For your information, you can also use a JSON file to define the custom role and use the -InputFile argument to the New-AzRoleDefinition cmdlet. That is a more portable way to store custom roles than PowerShell code.
The cmdlet will print a red error message in the command window that is similar to the following:
This is expected. The error notifies you that your student account doesn't have permission to create roles, that is the operation Microsoft.Authorization/roleDefinitions/write, at the subscription level. Fortunately, it is not necessary for you to create the role to complete the Lab because the Cloud Academy Lab environment has already created it for you.
11. To understand more about why the previous command failed, list the roles your student account is assigned to by entering the following in the command window:
Copy codeGet-AzRoleAssignment -SignInName <YOUR_SIGN_IN_NAME>
where you replace <YOUR_SIGN_IN_NAME> with your student account sign in name. You can copy the sign in name from the error message, it will be similar to student-###-###@labscloudacademy.onmicrosoft.com.
12. Inspect the Scope and RoleDefinitionName in the output:
There is only one role your account has been assigned to. From the Scope property, you can see it is assigned at the resourceGroup level, not the subscription level. This means you do not have access to write anything at the subscription level. From the RoleDefinitionName property, you can see you are in a custom role for the lab.
13. View the role definition to see what permissions the role grants:
Copy codeGet-AzRoleDefinition | where Id -EQ (Get-AzRoleAssignment -SignInName <YOUR_SIGN_IN_NAME>).RoleDefinitionId
where you replace <YOUR_SIGN_IN_NAME> with your student account sign in name:
This role has access to creating a variety of resources, but it can't grant access to others (because of the Microsoft.Authorization NotActions). This is similar to the built-in Contributor role. This means that if you did have access at the subscription scope, you could create the role but you couldn't assign it to accounts.
14. Verify that the role has already been created by using the following command:
Copy codeGet-AzRoleDefinition -Name "CloudAcademy Network Contributor"
Summary
In this Lab Step, you learned how to create a custom role using PowerShell. You also learned how to inspect the roles of an account and the operations that roles grant access to. This is helpful for diagnosing authorization errors.
Simulating the Custom Role User Experience
Introduction
This Lab Step illustrates the differences between a user with access to a resource and a user assigned to the custom role in the previous Lab Step. The operation that you will focus on is reading the effective network security group (NSG) of the Cloud Academy Lab's network interface. Recall that the custom role excluded access by declaring it as a NotAction.
Note: Unlike most Lab Steps, some of the actions you will not be able to perform for security reasons. It will be clear which instructions are "simulated" and you should only read the instruction and observe the screenshots to follow along.
Instructions
1. Return to the Azure Portal, enter network interfaces in the uppermost search bar, and click on Network interfaces:
2. Select the ca-lab-vm001 network interface in the table:
3. Select Effective security rules from the Network interface blade:
The effective security rules are the inbound and outbound rules for the effective NSG of the network interface. The particular rules are not important, but it is worth noting that inbound TCP traffic on port 3389 is allowed in order for you to connect to the virtual machine via Remote Desktop Protocol (RDP).
The remaining instructions are simulated so you can observe how to assign the custom role to a user, and what their experience is when they attempt to view the effective NSG rules.
4. Observe the following screenshot to see how an administrator adds an account to a role at the subscription level in the Azure Portal:
The subscription blade, as well as all other resource blades, include an Access control (IAM) item. In Access control (IAM), you can Add permissions to the resources. To assign a role to a user, you simply select the desired Role, Assign access to an Azure AD user, group, or application, Select the user from the list, and click Save.
Alternatively, you can use the New-AzureRmRoleAssignment PowerShell cmdlet to assign a role programmatically.
5. Once the role assignment is saved, the role assignment appears in the Access control (IAM) table:
6. When a user assigned to the custom role views the effective security rules, the following error is displayed:
Similar access control error messages are seen throughout the Azure Portal when you navigate to areas where you haven't been granted access.
Summary
In this Lab Step, you contrasted the user experience in the Azure portal when access is granted and when access is not granted. You also learned how to assign roles to users in the Azure Portal and from PowerShell.
Finding Permissions for Custom Roles
ntroduction
It can be convenient to create custom roles based on built-in roles that Azure created. But there is still the question of how to find operation strings to add to custom roles. In this Lab Step, you will learn a couple of ways to determine what operation strings you need to include for your custom roles.
Instructions
1. Return to the Network interfaces blade in the Azure Portal, select Access Control (IAM), and click on Role assignments:
Notice that your student account doesn't have an Add button to assign roles, but you can view Roles.
2. Click on Virtual Machine Contributor in the list of Roles:
For this scenario, assume that you want to create a custom role that includes a subset of the operations granted by the Virtual Machine Contributor role.
3. In the blade that opens, select Permissions:
4. In the Permissions list, select the Microsoft Compute provider:
This opens a hierarchical list of permissions for the Microsoft Compute provider.
5. As an example, select DiskOperation from the list:
6. Mouse over the i to the right of Read: Get Disk Operation to display a tip dialog box:
From here, you can get a more detailed description of what the action allows as well as the operation string you would need to use in a custom role, Microsoft.Compute/locations/diskOperations/read in this case. You could inspect any resource provider in the same way to develop the operations you need for a custom role.
7. Return to your RDP session connect to the ca-lab-vm and enter the following command in the PowerShell ISE command window:
Copy codeGet-AzProviderOperation Microsoft.Compute/locations/diskOperations/*
This returns the same information you retrieved from the portal. The operation string you use in a custom role is in the Operation property.
8. Enter the following to get all actions that can be performed on virtual machines:
Copy codeGet-AzProviderOperation */virtualMachines/*
The complete list is quite daunting. A narrower search will often be more effective if you know more about what you are looking for. The structured organization of the Azure Portal permissions interface can make it easier to find what you need. If for some reason you need to list all possible actions, you can enter Get-AzureRmProviderOperation *. There are over 2800 actions at time of writing.
Summary
In this Lab Step, you learned two ways to uncover the operation strings you need for creating custom roles.
No comments:
Post a Comment