Azure Role Based Access Control (RBAC)-what role to assign to outside engineer to help build App Service Laravel app including MySQL Flexible DB

Stephen Wartel 60 Reputation points
2024-03-29T00:51:48.9966667+00:00

I need to grant temporary access to an outside developer/engineer to access a new Azure App Service Laravel App including MySQL Flexible Database server so they can help set it up, configure it (environment variables, SSH nginx scripts, etc.).

They would be setting up/configuring their Laravel package on my Azure site's App Service app.

I would first create the basic App Service app with PHP 8.2 and a MySQL DB, then need them to directly access it to help configure it correctly.

I do not want to include access to my account billing or security profile/settings/data, for security purposes. Have been reading RBAC roles, including custom roles, and, new to using Azure, I am not sure what role/customization to set up and assign to them.

What would be the minimum access to facilitate their accessing, helping set up, especially configure this single App Service App?

Any help appreciated.

Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
825 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,761 questions
0 comments No comments
{count} votes

Accepted answer
  1. Babafemi Bulugbe 3,705 Reputation points MVP
    2024-03-29T05:54:10.07+00:00

    Hello Stephen Wartel,

    Thank you for contacting Microsoft Q&A Community Support.

    Based on the information provided, I would advise you to create a resource group specifically for this purpose and assign the user a contributor role on this particular resource group.

    This access to the dedicated resource group will prevent the developers' access to other resources within your Organization. This will also prevent them access to the billing and other security policies set on the subscription. However, the developers can do all the necessary configurations on both resources (basic App Service app with PHP 8.2 and a MySQL DB) deployed within the Resources group.

    User's image

    NB: The contributor role gives them full access to the resources within the resource group but not access to be able to assign permission to another developer. With this, you still control the security of the resource group.

    Let me know if further assistance is needed.

    Babafemi

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Stephen Wartel 60 Reputation points
    2024-03-29T14:51:09.39+00:00

    Thank you, Babafemi.

    Just the answer that I was looking for.

    Best Wishes,


  2. SnehaAgrawal-MSFT 21,506 Reputation points
    2024-03-29T16:29:34.3266667+00:00

    @Stephen Wartel Thanks for reaching here!

    To add more on above response-

    To grant temporary access to an outside developer/engineer to access a new Azure App Service Laravel App including MySQL Flexible Database server so they can help set it up, configure it (environment variables, SSH nginx scripts, etc.), you can create a custom role with the minimum permissions required for them to perform the necessary tasks.

    Here are the steps to create a custom role:

    1. In the Azure portal, go to the "Access control (IAM)" tab for your subscription or resource group.
    2. Click on the "Add" button and select "Add custom role".
    3. Give the role a name, such as "App Service Configurator".
    4. Under "Permissions", select the minimum set of permissions required for the developer/engineer to perform the necessary tasks. For example, you can select the "Microsoft.Web/sites/config/" permission to allow them to configure the App Service app, and the "Microsoft.DBforMySQL/flexibleServers/" permission to allow them to configure the MySQL Flexible Database server.
    5. Under "Assignments", select the scope of the role assignment. For example, you can select the resource group that contains the App Service app and MySQL Flexible Database server.
    6. Click on the "Review + create" button and then "Create" to create the custom role.

    Once the custom role is created, you can assign it to the developer/engineer by going to the "Access control (IAM)" tab for the resource group that contains the App Service app and MySQL Flexible Database server, clicking on the "Add" button, and selecting "Add role assignment". Then, select the custom role you created and enter the email address of the developer/engineer.

    With this custom role, the developer/engineer will have the minimum permissions required to access and configure the App Service app and MySQL Flexible Database server, without having access to your account billing or security profile/settings/data.

    Create or update Azure custom roles using the Azure portal

    https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

    Hope this helps-

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.