search

Azure / deployment-stacks

Contains Deployment Stacks CLI scripts and releases
MIT License
87 stars 6 forks source link

Deny settings mode `denyWriteAndDelete` prevents me from accessing IoT Hub settings #170

Closed F-Joachim closed 2 weeks ago

F-Joachim commented 3 weeks ago

Describe the bug I deployed an Azure infrastructure (including Azure IoT Hub) via Azure Deployment Stacks with --deny-settings-mode denyWriteAndDelete using a service principal with the Owner role. After the successful deployment it's not able to me to either access (read) the IoT Hub's view: IoT Hub -> Device Management -> IoT Edge or accessing the edge devices/manifest deployments via the Azure CLI.

The following error is shown to me when I try to access the IoT Hub's IoT Edge view:

image (Same error is thrown from the Azure CLI)

To Reproduce Steps to reproduce the behavior:

  1. Deploy an Azure Deployment Stack (containing the Azure IoT Hub resource) with --deny-settings-mode denyWriteAndDelete
  2. Await successful deployment
  3. Try to access the IoT Hub's view: Device Management -> IoT Edge

Expected behavior My expectation of the deny settings is, that just the resource settings are unchangeable (but still readable); for example the network ip rules. But not dynamic settings like the IoT Edge Devices or Manifest Deployments.

Please don't hesitate to contact me if you need further information. Thanks in advance.

snarkywolverine commented 2 weeks ago

Hi @F-Joachim -

Just for a little background, the way this Deny Assignment works is by denying all actions except */read. Since you are attempting a listKeys/action (per the error message), it is blocked by default. This can be fixed by using the DenySettingsExcludedActions property in PS, CLI, or with the REST endpoint.

F-Joachim commented 2 weeks ago

Hi @snarkywolverine,

thanks for your explanation.

But it's not really clear to me what the difference between a list and a read command is 🤔 In my imagination it is the same. In this context, the naming of the deny-settings-mode is also inconsistent, as it suggests that only write and delete operations are rejected.

The good news are that it works with the flag you described (even if it is more of a workaround for me). After I added --deny-settings-excluded-actions "Microsoft.Devices/IotHubs/listKeys/action" to the CLI command the Edge Devices and Manifest Deployments are accessible again - via Portal and Azure CLI.

snarkywolverine commented 2 weeks ago

Speaking in broad terms, there are ~4 different permission types in Azure: Read, Write, Delete, and "Action", which is more of a catch-all/'anything else' bucket. The first three apply mainly to resources; the last is more of a 'gesture' on a resource. In this instance, 'listKeys' is an action on the IOTHub resource, rather than part of the IOTHub read permission. This empowers owners (and those delegating permissions) to allow a user to read an IOTHub without accessing the keys.

I see your point that 'DenyWriteAndDelete" as a name is a bit of a simplification compared to 'read only'. @azcloudfarmer Do you think we should refine this in our documentation?