Apply role to resources based on tags

Question

I have an use case like this: the dev team creates resource groups and resources in it, using azure devops pipelines. One of the pipelines steps, is to assign role to a newly created Key Vault with a newly create web app. I would like to assign a role granting "assignment power" to the pipeline SP, only for the resource groups it creates, not for the whole subscription. Checked the ABAC (attribute based access control) documentation, at first look, it seems the right way, but I can only add conditions for Data Actions roles (for now only available for storage account).

Is there a way to achieve this without granting permission to the whole subscription? Like adding a role based on a tag?

Tried: Tested role conditions

Expecting: Assign a specific role (builtin or custom) to the newly created resource group.

Answer 1

You can assign a specific role to the newly created resource group based on a specific tag by using Azure Policy based on a specific tag.

Here is an Azure policy definition that assigns a specific role to resource groups based on a specific tag.

{
    "mode": "All",
    "policyRule": {
      "if": {
        "field": "tags['YourTagName']",
        "exists": "true"
      },
      "then": {
        "effect": "audit",
        "actions": [
          {
            "action": "Microsoft.Authorization/roleAssignments",
            "roleDefinitionId": "/subscriptions/811174b4-ff1b-45ef-a6ca-d13917f8ec4e/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
            "condition": {
              "field": "tags['YourTagName']",
              "equals": "YourTagValue"
            }
          }
        ]
      }
    }
}

Assign Azure Policy in portal as below.

The if clause of the policy rule specifies that the policy should only be evaluated if the resource group has the tag YourTagName. The then clause of the policy rule specifies that the role <roledefinition-Id> should be assigned to the resource group if the resource group has the tag YourTagName and the value of the tag is YourTagValue.

Reference: azure-docs/govern-tags.md at main · MicrosoftDocs/azure-docs · GitHub