az-mpf utility (Azure Deployment Minimum Permissions Finder)
This utility finds the minimum permissions required for a given Azure deployment. This can help when you need to figure out the details of what permissions a service principal or managed identity will need to deploy a given ARM template, bicep file or Terrform module. Similarly when assigning a Service Principal / Managed Identity to an Azure Policy Assignment, this utility can help you figure out the minimum permissions required by the Service Principal / Managed Identity to enforce/remediate the policy. It is recommended that the utility is used in a development or test environment to find the minimum permissions required.
How It works
The overview of how this utility works is as follows:
Following is the detailed flow of how this utility works:
- The key parameters the utility needs are the Service Principal details (Client ID, Secret and Object ID) and details needed for the specific deployment provider:
- ARM: ARM template file and parameters file needed
- Terraform: Terraform module directory and variables file needed
- The utility removes any existing Role Assignments for provided Service Principal
- A Custom Role (with no assigned permissions) is created
- The Service Principal (SP) is assigned the new custom role
- For the above steps the utitity uses the default Azure CLI credentials which needs to have permissions to create custom role, and role assignments. The details of the permissions required by the default Azure CLI credentials are provided in the Permissions required by default Azure CLI credentials section.
- For the following sub steps the Service Principal Credentials are used. These sub steps are re-tried till the deployment succeeds
- Depending on the provider (ARM, Bicep, or Terraform) a deployment is tried
- If the Service Principal does not have sufficient permissions an authorization error is returned by the deployment. If Authorization errors have occured, they are parsed to fetch the missing scopes and permissions. The authorizationErrorParser Tests provides details of the different kinds of Authorization errors typically received.
- The missing permissions are added to the custom Role. This sub step uses default Azure CLI credentials to update role permissions.
- Once no authorization error is received, the utility prints the permissions assigned to the Service Principal
- The required permissions are displayed based on the display options. These options can be used to view the resource wise break up of permissions and also to export the result in JSON format
- All resources created are cleaned up by the utility including the Role Assignments and Custom Role.
Supported Deployment Providers
- Azure ARM Template: The ARM endpoints of both modes described below return multiple authorization errors at a time and as a result the final output is usually displayed in under 90 seconds, even for complex templates.
- Whatif mode: This this the default ARM mode. It uses the ARM whatif endpoint to get the authorization errors and find the minimum permissions required for a deployment, without actually create any resources.
- FullDeployment mode: This mode has been deprecated and is no longer supported.
- Bicep: The Bicep mode is similar to the ARM whatif mode, and uses the ARM whatif endpoint to get the authorization errors and find the minimum permissions required for a deployment, without actually create any resources. Internally the utility converts the bicep file to ARM template and then uses the ARM whatif endpoint.
- Terraform: The Terraform mode finds the minimum permissions required for a deployment, by getting the authorization errors from the Terraform plan/apply, and destroy commands. All resources are cleaned up by the utility. Since terraform calls the ARM apis for one resource at a time, the authorization errors are not received in bulk, and as a result it can take quite long to get the final result. The overall time is the time taken to run the terraform plan/apply/destroy commands, plus the overhead of getting and parsing the authorization errors a few times.
Flags and Environment Variables
The commands can be used with flags or environment variables. The following are the flags and environment variables supported by the utility:
Global Flags (Common to all providers)
| Flag | Environment Variable | Required / Optional | Description |
|---|---|---|---|
| subscriptionID | MPF_SUBSCRIPTIONID | Required | |
| tenantID | MPF_TENANTID | Required | |
| spClientID | MPF_SPCLIENTID | Required | |
| spObjectID | MPF_SPOBJECTID | Required | Note this is the SP Object id and is different from the Client ID |
| spClientSecret | MPF_SPCLIENTSECRET | Required | |
| showDetailedOutput | MPF_SHOWDETAILEDOUTPUT | Optional | If set to true, the output shows details of permissions resource wise as well. This is not needed if --jsonOutput is specified |
| jsonOutput | MPF_JSONOUTPUT | Optional | If set to true, the detailed output is printed in JSON format |
| verbose | MPF_VERBOSE | Optional | If set to true, verbose output with informational messages is displayed |
| debug | MPF_DEBUG | Optional | If set to true, output with detailed debug messages is displayed. The debug messages may contain sensitive tokens |
ARM Flags
| Flag | Environment Variable | Required / Optional | Description |
|---|---|---|---|
| templateFilePath | MPF_TEMPLATEFILEPATH | Required | ARM template file with path |
| parametersFilePath | MPF_PARAMETERSFILEPATH | Required | ARM template parameters file with path |
| resourceGroupNamePfx | MPF_RESOURCEGROUPNAMEPFX | Optional | Prefix for the resource group name. If not provided, default prefix is testdeployrg. For ARM deployments this temporary resource group is created |
| deploymentNamePfx | MPF_DEPLOYMENTNAMEPFX | Optional | Prefix for the deployment name. If not provided, default prefix is testDeploy. For ARM deployments this temporary deployment is created |
| location | MPF_LOCATION | Optional | Location for the resource group. If not provided, default location is eastus |
Bicep Flags
| Flag | Environment Variable | Required / Optional | Description |
|---|---|---|---|
| bicepFilePath | MPF_BICEPFILEPATH | Required | Bicep file with path |
| parametersFilePath | MPF_PARAMETERSFILEPATH | Required | Bicep parameters file with path |
| bicepExecPath | MPF_BICEPEXECPATH | Required | Path to the Bicep executable |
| resourceGroupNamePfx | MPF_RESOURCEGROUPNAMEPFX | Optional | Prefix for the resource group name. If not provided, default prefix is testdeployrg. For Bicep deployments this temporary resource group is created |
| deploymentNamePfx | MPF_DEPLOYMENTNAMEPFX | Optional | Prefix for the deployment name. If not provided, default prefix is testDeploy. For Bicep deployments this temporary deployment is created |
| location | MPF_LOCATION | Optional | Location for the resource group. If not provided, default location is eastus |
Terraform Flags
| Flag | Environment Variable | Required / Optional | Description |
|---|---|---|---|
| tfPath | MPF_TFPATH | Required | Path to the Terraform executable |
| workingDir | MPF_WORKINGDIR | Required | Path to the Terraform module directory |
| varFilePath | MPF_VARFILEPATH | Optional | Path to the Terraform variables file |
Installation
You can download the latest version for your platform from the releases link.
For example, to download the latest version for Windows:
# Please change version in the URL to the latest version
curl -LO https://github.com/maniSbindra/az-mpf/releases/download/v0.8.5/az-mpf_0.8.5_windows_amd64.tar.gz
tar -xzf az-mpf_0.8.5_windows_amd64.tar.gz
mv az-mpf_0.8.5_windows_amd64 az-mpf.exe
chmod +x ./az-mpf.exeAnd for Mac Arm64:
# Please change version in the URL to the latest version
curl -LO https://github.com/maniSbindra/az-mpf/releases/download/v0.8.5/az-mpf_0.8.5_darwin_arm64.tar.gz
tar -xzf az-mpf_0.8.5_darwin_arm64.tar.gz
mv az-mpf-darwin-arm64 az-mpf
chmod +x ./az-mpfVerify Release Binaries using SLSA Verifier
The release binaries are signed using the SLSA (Supply Chain Levels for Software Artifacts) framework. You can verify the release binaries using the SLSA Verifier. The following steps show how to verify the release binary for darwin/arm64 against release 0.8.5, using the SLSA Verifier:
Note:! There was an issue with provenance generation of this release. This will be addressed as a part of issue #52
# download arm64 darwin release binary and the multiple.intoto.jsonl file
curl -LO https://github.com/maniSbindra/az-mpf/releases/download/v0.8.5/az-mpf_0.8.5_darwin_arm64.tar.gz
curl -LO https://github.com/maniSbindra/az-mpf/releases/download/v0.8.5/multiple.intoto.jsonl
# modify path to the slsa-verifier binary as per your installation and verify the release binary
$ /PATH_TO_VERIFER/slsa-verifier verify-artifact az-mpf_0.8.5_darwin_arm64.tar.gz --provenance-path multiple.intoto.jsonl --source-uri github.com/maniSbindra/az-mpf --source-tag v0.8.5
Verified signature against tlog entry index 76002620 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ae67470bb23a7a809a475c46078739a61725936641b76508ac420e02e217475de
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 648fe797c5b5253360ae1c6e60bd9521544209bc
Verifying artifact az-mpf_0.8.5_darwin_arm64.tar.gz: PASSED
PASSED: Verified SLSA provenanceUsage Details
ARM
export MPF_SUBSCRIPTIONID=YOUR_SUBSCRIPTION_ID
export MPF_TENANTID=YOUR_TENANT_ID
export MPF_SPCLIENTID=YOUR_SP_CLIENT_ID
export MPF_SPCLIENTSECRET=YOUR_SP_CLIENT_SECRET
export MPF_SPOBJECTID=YOUR_SP_OBJECT_ID
$ ./az-mpf arm --templateFilePath ./samples/templates/aks-private-subnet.json --parametersFilePath ./samples/templates/aks-private-subnet-parameters.json
------------------------------------------------------------------------------------------------------------------------------------------
Permissions Required:
------------------------------------------------------------------------------------------------------------------------------------------
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Bicep
export MPF_SUBSCRIPTIONID=YOUR_SUBSCRIPTION_ID
export MPF_TENANTID=YOUR_TENANT_ID
export MPF_SPCLIENTID=YOUR_SP_CLIENT_ID
export MPF_SPCLIENTSECRET=YOUR_SP_CLIENT_SECRET
export MPF_SPOBJECTID=YOUR_SP_OBJECT_ID
export MPF_BICEPEXECPATH="/opt/homebrew/bin/bicep" # Path to the Bicep executable
$ ./az-mpf bicep --bicepFilePath ./samples/bicep/aks-private-subnet.bicep --parametersFilePath ./samples/bicep/aks-private-subnet-params.json
------------------------------------------------------------------------------------------------------------------------------------------
Permissions Required:
------------------------------------------------------------------------------------------------------------------------------------------
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
------------------------------------------------------------------------------------------------------------------------------------------
Terraform
export MPF_SUBSCRIPTIONID=YOUR_SUBSCRIPTION_ID
export MPF_TENANTID=YOUR_TENANT_ID
export MPF_SPCLIENTID=YOUR_SP_CLIENT_ID
export MPF_SPCLIENTSECRET=YOUR_SP_CLIENT_SECRET
export MPF_SPOBJECTID=YOUR_SP_OBJECT_ID
export MPF_TFPATH=TERRAFORM_EXECUTABLE_PATH
# pushd .
# cd ./samples/terraform/aci/
# $MPF_TFPATH init
# popd
$ ./az-mpf terraform --workingDir `pwd`/samples/terraform/aci --varFilePath `pwd`/samples/terraform/aci/dev.vars.tfvars
------------------------------------------------------------------------------------------------------------------------------------------
Permissions Required:
------------------------------------------------------------------------------------------------------------------------------------------
Microsoft.ContainerInstance/containerGroups/delete
Microsoft.ContainerInstance/containerGroups/read
Microsoft.ContainerInstance/containerGroups/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/resourcegroups/delete
Microsoft.Resources/subscriptions/resourcegroups/read
Microsoft.Resources/subscriptions/resourcegroups/write
------------------------------------------------------------------------------------------------------------------------------------------
Is is also possible to additionally view detailed resource level permissions required as shown in the display options documents.
The blog post Figuring out the Minimum Permissions Required to Deploy an Azure ARM Template provides a more contextual usage scenario for az-mpf.
Display Options
To view details of display options the utility provides please refer to the display options document.
Building Locally
You can also build locally by cloning this repo and running make build.
Testing Locally
Unit Tests
To run the unit tests, run make test.
End to End ARM and Bicep Tests
To run the end to end tests for ARM and Bicep, you need to have the following environment variables set, and then execute make test-e2e:
export MPF_SUBSCRIPTIONID=YOUR_SUBSCRIPTION_ID
export MPF_TENANTID=YOUR_TENANT_ID
export MPF_SPCLIENTID=YOUR_SP_CLIENT_ID
export MPF_SPCLIENTSECRET=YOUR_SP_CLIENT_SECRET
export MPF_SPOBJECTID=YOUR_SP_OBJECT_ID
export MPF_BICEPEXECPATH="/opt/homebrew/bin/bicep" # Path to the Bicep executable
make test-e2eEnd to End Terraform Tests
The Terraform end to end tests, can take a long time to execute, depending on the resources being created. To run the end to end tests for Terraform, you need to have the following environment variables set, and then execute make test-e2e-terraform:
export MPF_SUBSCRIPTIONID=YOUR_SUBSCRIPTION_ID
export MPF_TENANTID=YOUR_TENANT_ID
export MPF_SPCLIENTID=YOUR_SP_CLIENT_ID
export MPF_SPCLIENTSECRET=YOUR_SP_CLIENT_SECRET
export MPF_SPOBJECTID=YOUR_SP_OBJECT_ID
export MPF_TFPATH=$(which terraform) # Path to the Terraform executable
make test-e2e-terraformPermissions required by default Azure CLI credentials
The default Azure CLI credentials used by the utility need to have the following permissions:
- "Microsoft.Authorization/roleDefinitions/read"
- "Microsoft.Authorization/roleDefinitions/write"
- "Microsoft.Authorization/roleDefinitions/delete"
- "Microsoft.Authorization/roleAssignments/read"
- "Microsoft.Authorization/roleAssignments/write"
- "Microsoft.Authorization/roleAssignments/delete"
- "Microsoft.Resources/subscriptions/resourcegroups/delete"
- "Microsoft.Resources/subscriptions/resourcegroups/read"
- "Microsoft.Resources/subscriptions/resourcegroups/write"
Debugging Locally and Contributing
The CONTRIBUTING.md file provides details on how to debug locally and contribute to this project.