We have a VNET that is coupled to an Express route, on which we will give our users access to specific subnets.
These subnets are created for each resource group, and the idea is to have these users only able to add machines in their subnet.
To allow users to add machines to a subnet I gave them the following permissions:
- Read on Virtual Network
- Contributor on their subnet
However this allowed the users to select all subnets on the virtual network.
It simply throws an error when you try to deploy a machine on a subnet you lack contributor on.
I tried creating custom roles, but if I am to create one that only disallows reading as such:
{
"Name": "Not Reader",
"Description": "Denies Reader priviliges on the assigned resource.",
"Actions": [
],
"NotActions": [
"Microsoft.Network/*/read"
],
"AssignableScopes": [
"/subscriptions/theguidwashere"
]
}
I get the error:
New-AzureRmRoleDefinition : Invalid value for Actions
At line:1 char:1
+ New-AzureRmRoleDefinition -InputFile C:\temp\customroles\NotReader.json
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleDefinition], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleDefinitionCommand
I assume this is because the actions value can not be empty.
I'm not sure what I should/could safely add in the actions, and at this point it's starting to look like I'm putting together something complex for what should be quite simple.
So how should I set up/create roles to allow for a user to see and utilize only a single subnet within a larger VNET?
We can not put restrictions on a specific subnet. I had the same issue.
The custom rules can only be applied on 1) Resource Groups 2) Resource (vnet is a resource and not subnets, subnets are the outcome of a resource) 3) Subscription
As explained, subnets are not resources and you will not be able to restrict which subnets can and cannot be used, via RBAC/Custom roles feature.
You might have to look into Azure Blueprints or Azure policies for that.