Regarding RBAC role & scope for creating static web apps

Sys Admin 6

A user in our organization needs to create static web apps in Azure. Please let us know the appropriate RBAC role and scope which can be assigned for that user.

Tarek Nabil 1 Reputation point

2022-12-01T23:35:56.927+00:00

Azure Static Web Apps have been generally available for ages now. Is there still not a standard RBAC role that allows a user to create one?
Ryan Hill 25,476 Reputation points Microsoft Employee

2022-12-03T06:13:50.167+00:00

@Tarek Nabil I'm checking with the product group.
Keifer Hofacker 1 Reputation point

2023-01-06T17:19:16.613+00:00

Hi Ryan, did you hear anything from the product group? I can confirm that there's still no standard RBAC role that grants permission to Microsoft.Web/staticSites.

2 answers

Aleksandra C 5 Reputation points

2023-09-26T13:23:13.27+00:00

Hello,

I recently needed to assign a Microsoft.Web/staticSites/Write role for a Service Principal and there was not a straightforward solution for that. The Role was not present in the RBAC on Subscription level.

The following solution worked for me:

I created a Custom Role on Subscription level and for the Permissions, I searched for microsoft.web/staticSites. There is a list of several permissions for the staticWebApps. The scope can be on Subscription, but also Resource Group or Management Group level. If you choose the Resource Group scope, then the Role Assignment needs to be executed on Resource Group level.

After I created the Custom Role, I easily assigned the Role to the Service Principal.

Here is the official doc for creating a custom role: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

Regards,

Aleksandra
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Ryan Hill 25,476 Reputation points Microsoft Employee

2021-04-09T02:43:18.243+00:00

Hi @Sys Admin ,

If you are looking for least privileged, then Website contributor should be fine; see https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor. You don't need to create a separate app service plan when creating a Static Web App. You can apply this at the subscription level or at the resource group level.

Regards,
Ryan
Please sign in to rate this answer.
Sys Admin 6 Reputation points

2021-04-14T14:54:31.493+00:00

Hi Ryanchill,
Greetings of the day!! Hope you are doing well..

I assigned the 'Website Contributor' IAM role as suggested by you for the user's ID, both at Resource Group level as well as Subscription level. But the user is getting an error in the 'Basics' section while trying to name the Static Web App (Preview) resource :-

"The client 'XXXX@xxxxxxxxxxxxx .com' with object id 'XXXXXX-XXXX-XXXX-XXXXX' does not have authorization to perform action 'Microsoft.Web/staticsites/read' over scope '/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/XXXX/providers/Microsoft.Web/staticsites/saszf' or the scope is invalid. If access was recently granted, please refresh your credentials. "

Please help.

Thanks & Regards,
SysAdmin-3492

Ryan Hill 25,476 Reputation points Microsoft Employee

2021-05-10T16:54:42.393+00:00

Apologies for the delayed response @Sys Admin . I've heard back from the product team and try applying Microsoft.Web/staticSites/Write. This is not documented since Static Web Sites is still preview. Please do let me know if this works or not.

{ "Name": "Microsoft.Web/staticSites/Write", "Display": { "Provider": "Microsoft Web Apps", "Resource": "Static Site", "Operation": "Create or Update Static Site", "Description": "Create a new Static Site or update an existing one" }, "Origin": "user,system" },

Pitawat 331 Reputation points

2022-01-13T07:07:14.23+00:00

Hi @Ryan Hill ,

Given that Azure Static Web Apps is now generally available, what is the appropriate RBAC role to assign to a user so that they can create and manage Static Web Sites?

Under a resource group, in the "Add role assignment" page, I searched for a term "static" and no results came up.

Thanks.

Tarek Nabil 5 Reputation points

2023-03-09T00:11:46.9433333+00:00

Hi Ryan,

I don't think this is correct. This role doesn't have any of the Microsoft.Web/staticSites/* permissions.

Shinto Kodivalappil Anto 20 Reputation points

2023-06-16T14:05:54.8666667+00:00

Never worked with Website Contributor
Sign in to comment