azure-rbac
Scannednpx machina-cli add skill microsoft/GitHub-Copilot-for-Azure/azure-rbac --openclawUse the 'azure__documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure__extension_cli_generate' tool to create a custom role definition with the desired permissions. Then use the 'azure__extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure__bicepschema' and 'azure__get_azure_bestpractices' tools to provide a Bicep code snippet for adding the role assignment. If user is asking about role necessary to set access, refer to Prerequisites for Granting Roles down below:
Prerequisites for Granting Roles
To assign RBAC roles to identities, you need a role that includes the Microsoft.Authorization/roleAssignments/write permission. The most common roles with this permission are:
- User Access Administrator (least privilege - recommended for role assignment only)
- Owner (full access including role assignment)
- Custom Role with
Microsoft.Authorization/roleAssignments/write
Source
git clone https://github.com/microsoft/GitHub-Copilot-for-Azure/blob/main/plugin/skills/azure-rbac/SKILL.mdView on GitHub Overview
Identifies the minimal Azure RBAC role needed for an identity to achieve the required access with least privilege. It selects a built-in role when possible, or creates a custom role, and then outputs CLI commands and a Bicep snippet to apply the assignment. It also explains the permissions you must have to grant roles (Microsoft.Authorization/roleAssignments/write).
How This Skill Works
The tool queries Azure documentation to locate the smallest role that grants the desired permissions. If no built-in role fits, it generates a custom role definition with the needed permissions. It then produces role-assignment CLI commands and a Bicep snippet (via azure__bicepschema and best-practices guidance) to implement the assignment, along with prerequisites for granting roles.
When to Use It
- You need the least-privilege role to grant access to an identity.
- You want to assign a role to read data from a Storage Blob or similar resource.
- You are provisioning a managed identity or service principal and need to grant access.
- No built-in role matches the required permissions and you need a custom role.
- You want ready-to-use CLI commands and a Bicep snippet to implement a role assignment.
Quick Start
- Step 1: Identify the identity (user, service principal, or managed identity) and the exact permissions needed.
- Step 2: Use azure__documentation to find the minimal built-in role; if none match, run azure__extension_cli_generate to create a custom role.
- Step 3: Use the generated CLI commands to assign the role and review the Bicep snippet produced by azure__bicepschema.
Best Practices
- Scope the role at the smallest possible resource (subscription, resource group, or resource).
- Prefer User Access Administrator for grant-only tasks; avoid using Owner unless necessary.
- Start with built-in roles; create a custom role only when required.
- Test new assignments with the principle of least privilege and monitor usage.
- Document the rationale for the chosen role and its scope for governance.
Example Use Cases
- Grant Storage Blob Data Reader to a service principal at the storage account level to enable blob reading.
- Assign the Reader role at the resource group level to audit or view resources.
- Create a custom role that includes only Microsoft.Authorization/roleAssignments/write and apply it to a service principal.
- Use User Access Administrator to enable role assignments for an automation account without broad access.
- Deploy a Bicep snippet that creates a roleAssignment for a specific principal using the generated code.
