What if no built-in role matches the desired permissions?

The tool will generate a custom role with the exact permissions using Azure MCP/extension_cli_generate and provide CLI and Bicep outputs.

Can I target a specific scope when assigning the role?

Yes. Always scope the role to the smallest resource (subscription, resource group, or resource) to enforce least privilege.

Can this handle both user identities and service principals?

Yes. The generated CLI commands work for both users and service principals.

azure-role-selector

npx machina-cli add skill aiskillstore/marketplace/azure-role-selector --openclaw

Files (1)

SKILL.md

982 B

Use 'Azure MCP/documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity (If no built-in role matches the desired permissions, use 'Azure MCP/extension_cli_generate' tool to create a custom role definition with the desired permissions). Use 'Azure MCP/extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity and use the 'Azure MCP/bicepschema' and the 'Azure MCP/get_bestpractices' tool to provide a Bicep code snippet for adding the role assignment.

Source

git clone https://github.com/aiskillstore/marketplace/blob/main/skills/7spade/azure-role-selector/SKILL.mdView on GitHub

Overview

azure-role-selector identifies the smallest Azure RBAC role that meets your permission needs. It guides you to built-in roles when possible, or creates a custom role, and provides CLI commands plus a Bicep snippet to apply the assignment with least privilege.

How This Skill Works

The agent uses Azure MCP/documentation to locate a minimal built-in role that matches the desired permissions. If no built-in role matches, it uses Azure MCP/extension_cli_generate to create a custom role definition. It then provides CLI commands to assign the role and a Bicep snippet generated via Azure MCP/bicepschema, with best-practices guidance from get_bestpractices.

When to Use It

When provisioning a new identity that requires a narrowly scoped set of permissions.
When migrating from broad roles (e.g., Contributor) to the least-privilege alternative.
When automating deployments and you need to restrict access to specific actions.
When you must scope access to a single resource group or resource.
When preparing for least-privilege access audits and governance.

Quick Start

Step 1: Specify the required permissions and the identity to grant.
Step 2: The tool identifies the minimal built-in role or creates a custom role and outputs CLI commands.
Step 3: Apply the role with the generated CLI commands and embed the Bicep snippet in your IaC.

Best Practices

Prefer built-in roles first before creating a custom role.
Always scope the role to the smallest possible resource (subscription, resource group, or resource).
Validate permissions by testing with a non-privileged identity.
Document the exact permissions in the custom role and provide an expiration if temporary.
Regularly review role assignments and rotate credentials.

Example Use Cases

Grant read-only access to a resource group using the Reader role scoped to that group.
Limit data access to a storage container by assigning Storage Blob Data Reader to a user or service principal.
Set up deployment automation with a minimal custom role that can start/stop specific VMs only.
Create a CI/CD pipeline with a custom role that can read configs and trigger deployments without full Contributor rights.
Grant Key Vault Secrets User to an automation account to fetch secrets without broad access.

Frequently Asked Questions

Add this skill to your agents