This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I am attempting to answer the following question ...
https://learn.microsoft.com/en-us/credentials/certifications/exams/az-305/practice/assessment?assessment-type=practice&assessmentId=15
"You are designing a solution that uses Azure Kubernetes Service (AKS).
You need to ensure that a user has permissions to view and modify AKS roles within an AKS cluster. The solution must follow the principle of least privilege.
Which built-in role should you assign to the user?"
So I thought the answer to the question was "Azure Kubernetes Service Cluster Admin Role"
However the answer given was ...
Azure Kubernetes Service Contributor Role
Contributors can change roles and bindings. The Azure Kubernetes Service Cluster Admin role provides permissions to list cluster admin credential actions only. The Azure Kubernetes Service RBAC Writer role cannot modify roles and role bindings. The Azure Kubernetes Service Cluster User role can only list user credential access.
Azure built-in roles - Azure RBAC | Microsoft Learn
Design for role-based access control (RBAC) - Training | Microsoft Learn
But I previously understood that Contributors could not change user permissions, i.e.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Please can you help me resolve the above?
Hi @Kieran Wood
Thank you for reaching out to the Microsoft Q&A platform.
The Azure Kubernetes Service Cluster Admin role provides permissions to list cluster admin credential actions only. It does not provide permissions to modify AKS roles within an AKS cluster.
To ensure that a user has permissions to view and modify AKS roles within an AKS cluster, you should assign the "Azure Kubernetes Service RBAC Writer Role". This role allows the user to create, read, update, and delete role assignments and role definitions within an AKS cluster. This role is appropriate for users who need to manage role-based access control (RBAC) for an AKS cluster, but do not need full administrative access.
Therefore, the correct answer to the question "You are designing a solution that uses Azure Kubernetes Service (AKS). You need to ensure that a user has permission to view and modify AKS roles within an AKS cluster. The solution must follow the principle of least privilege. Which built-in role should you assign to the user?" is "Azure Kubernetes Service RBAC Writer Role".
Ref: https://learn.microsoft.com/en-us/azure/aks/concepts-identity#built-in-roles
If I have answered your query, please click "Accept as answer" as a token of appreciation
Thank you Prrudram-MSFT ,
So according to your research the answer to the question is given within https://learn.microsoft.com/en-us/azure/aks/concepts-identity#built-in-roles. So the answer should be "Azure Kubernetes Service RBAC Writer Role" not "Azure Kubernetes Service Contributor Role". However the situation still remains that the answer given within https://learn.microsoft.com/en-us/credentials/certifications/exams/az-305/practice/assessment?assessment-type=practice&assessmentId=15 is still incorrect. How do I give feedback to Microsoft so Microsoft can fix this error. Please find the following screen shot to highlight this issue further ...
I do consider that it is very important that this is resolved since this will cause confusion for other people revising for the AZ305 Azure Architecture exam.
It's OK Prrudram-MSFT I now have a route to the Microsoft content team
It's OK Prrudram-MSFT I now have a route to the Microsoft content team.