Frequently updated list of
- Built-in Azure Role Definitions (not Azure AD roles)
- Azure Providers and their operations (to be used as
actions/dataActionsin role definitions)
to track changes over time. Inspired by MAMIP Monitor AWS Managed IAM Policies.
There is a scheduled workflow that does the following steps:
- Update the list of Built-In Azure role definitions using
az role definition list, saved as one file per role definition - Update the list of Azure providers and their operations using
az provider operation list / show, saved as one file per provider - Reformat them using
jqto guard a bit against diff noise - Push any detected additions/removals/modifications, one file at a time
- Monitor AAD roles
Add twitter bot support, similar to MAMIP
The updater runs against my personal subscription on Azure. I do not know if the list of built-in roles or providers is the same for each subscription, or if it depends on e.g. registered providers, registered feature flags etc. When I checked against a different subscription I have access to, I did not see any differences, but I don't know if that's globally true.
Feedback / definitive info on that is welcome.
The JSON format here is from az role definition list, with the Subscription Id part redacted.
This differs structurally (not only in attribute order) from the Roles JSON view in Azure Portal.
JSON View in Azure Portal: The id property is listed first, all other attributes are nested
in a properties attribute. Order of attributes seems "natural".
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"properties": {
"roleName": "AcrDelete",
"description": "acr delete",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}Output of az role definition list for the AcrDelete role: properties subattributes are pulled
up to the top level, everything is sorted alphabetically. I also chose to enforce this attribute
sort order once more in ./scripts/_reformat.sh, to avoid update noise.
So should Azure ever reorder the JSON attributes when using az, this repo will not reflect that.
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}