💪 [Enhancement]: Document the least-privilige roles needed for installation

[Annelotte-Mons]

Category

Documentation

Description

Normally the Invictus installation would expect a Service Principal that has contributor rights on a certain resource group.
However, some customers do not want this, and instead require more specificity in their roles to adhere to the principle of least privilige. Would be good to have some documentation on this to speed up installations at those customers.

Additional context

This is what I have so far at my client, maybe it could serve as a headstart.

Azure Event Hubs Data Owner
Azure Service Bus Data Owner
Container Apps ManagedEnvironments Contributor
Container Registry Contributor and Data Access Configuration Administrator
Container Registry Tasks Contributor
Custom invictus Deployment:
actions: "Microsoft.App/containerApps/write",
"Microsoft.App/containerApps/authConfigs/write",
"microsoft.app/jobs/start/action",
"microsoft.app/jobs/stop/action",
"microsoft.app/jobs/read",
"microsoft.app/jobs/write",
"microsoft.app/jobs/delete",
"microsoft.app/register/action",
"microsoft.app/managedenvironments/write",
"microsoft.app/managedenvironments/join/action",
"Microsoft.Authorization/locks/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.OperationalInsights/workspaces/listKeys/action"

EventGrid Contributor
Key Vault Contributor
Key Vault Data Access Administrator
Logic App Contributor
Monitoring Contributor
Network Contributor
Role Based Access Control Administrator (Optionally scoped to specific roles it itself needs to assign).

Storage Account Contributor
Web Plan Contributor
Website Contributor
Cosmos DB Operator

[stijnmoreels]

Think based on the current Framework+Dashboard deployment, and the list here, we can have this least-privileged role assignments?

Role	Why It’s Needed
Azure Container Apps Contributor	Allows to create/update Container Apps environments, apps, authConfigs and job definitions
Azure Event Hubs Contributor	Allows to create/update Event Hubs namespaces, event hubs and networkRuleSets
Container Registry Contributor	Allows to create/update Azure Container Registry instances, locks and network settings
DocumentDB Account Contributor	Allows to create/update Cosmos DB accounts, MongoDB databases and collections
Managed Identity Contributor	Allows to create/update user-assigned managed identities for Container Apps and functions
Key Vault Contributor	Allows to create/update Key Vaults, access policies and network ACLs
Key Vault Secrets Officer	Allows to write secrets into Key Vault (e.g. workspace keys, AAD client secrets)
Log Analytics Contributor	Allows to create/update Log Analytics workspaces and listing workspace keys
Monitoring Contributor	Allows to create/update Application Insights components and associated locks
Network Contributor	Allows to create/update privateEndpoints, VNet subnets and privateDnsZoneGroups
Reader	Allows to read existing Private DNS zones when linking DNS zone groups for private endpoints
Service Bus Contributor	Allows to create/update Service Bus namespaces, queues and network rule sets
Storage Account Contributor	Allows to create/update storage accounts, file shares, blob and table services
User Access Administrator	Allows to create Microsoft.Authorization/roleAssignments and resource locks

[Annelotte-Mons]

I just checked at my customer and I see I have some extra, could be some overlap with the roles mentioned above not sure:

• Azure Service Bus Data Owner
  • Unsure why this one was assigned to the SP... Maybe not needed
• Container Apps ManagedEnvironments Contributor
  • To deploy the ContainerAppEnv etc.
• Role Based Access Control Administrator
  • Scoped to specific roles it may assign, see specific list down below.
• Custom invictus Deployment
  • See definition down below
• Container Registry Tasks Contributor
  • To execute ACR tasks (e.g. ACR Import)
• Custom Container Apps Jobs operator
  • See definition down below
• Container Registry Contributor and Data Access Configuration Administrator
  • For managing access to the ACR (AcrPull role)
• Key Vault Data Access Administrator
  • For managing access to the keyvault (rbac roles)
• Cosmos DB Operator
  • Unsure
• Azure Event Hubs Data Owner
  • Unsure

Conditional Role Based Access Control Administrator
Can't find list right away: but basically all roles that invictus deployment assigns (optional)

Custom Invictus Role:
{ "InvictusDeployment": { "roleName": "Custom invictus Deployment", "description": "Permissions required for the Invictus deployment.", "Actions": [ "Microsoft.App/containerApps/write", "Microsoft.App/containerApps/authConfigs/write", "microsoft.app/jobs/start/action", "microsoft.app/jobs/stop/action", "microsoft.app/jobs/read", "microsoft.app/jobs/write", "microsoft.app/jobs/delete", "microsoft.app/register/action", "microsoft.app/managedenvironments/write", "microsoft.app/managedenvironments/join/action", "Microsoft.Authorization/locks/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.OperationalInsights/workspaces/listKeys/action" ], "dataActions": [ "Microsoft.App/managedEnvironments/PrivateEndpointConnectionsApproval/action" ] } }

Custom Cntainer apps jobs role:
{ "CustomContainerAppsJobs": { "roleName": "Custom Container Apps Jobs operator", "description": "Allows operations management to Container Apps: Start/Stop/Get/Register/Write/Delete a Container Apps Job.", "Actions": [ "microsoft.app/jobs/start/action", "microsoft.app/jobs/stop/action", "microsoft.app/jobs/read", "microsoft.app/jobs/write", "microsoft.app/jobs/delete", "microsoft.app/register/action", "microsoft.app/managedenvironments/write", "microsoft.app/managedenvironments/join/action" ] } }

[stijnmoreels]

I could be wrong:

Current Role at customer	Verdict	Why It’s Too Broad / Not Needed	Replacement
Azure Service Bus Data Owner	Indeed, not needed	Only grants data‐plane send/receive. We need management-plane rights to provision namespaces, queues & rules.	Service Bus Contributor
Azure Event Hubs Data Owner	Not needed	Data-plane only (publish/consume). We need management-plane rights to create/configure hubs & rules.	Azure Event Hubs Contributor
Container Apps ManagedEnvironments Contributor	Too narrow	Covers only managedEnvironments/*. Our deployment also needs containerApps/*, authConfigs/*, and job actions.	Azure Container Apps Contributor
Role Based Access Control Administrator	Too broad	Grants full RBAC admin on the scope. We only need to create the roleAssignments your Bicep emits.	User Access Administrator
Conditional Role Based Access Control Administrator	Too broad	Same as above: over-privileged for just roleAssignments/write & locks/write.	User Access Administrator
Custom “Invictus Deployment”	Redundant	All its listed Microsoft.App/* actions are already included in Azure Container Apps Contributor.	Azure Container Apps Contributor
Custom Container Apps Jobs operator	Redundant	Its job start/stop/read/write/delete actions are covered by Azure Container Apps Contributor as well.	Azure Container Apps Contributor
Container Registry Tasks Contributor	Not needed	We don’t deploy any ACR Tasks in these Bicep files.	–
Container Registry Data Access Configuration Admin	Not needed	We never configure ACR data‐plane policies. Contributor already covers registry CRUD & locks.	Container Registry Contributor
Key Vault Data Access Administrator	Too broad	Grants secret‐read data-plane rights. We only write secrets during deployment.	Key Vault Secrets Officer
Cosmos DB Operator	Not needed	Data-plane only (document CRUD). We need management-plane rights to create accounts/DBs/collections.	DocumentDB Account Contributor