role-based-access-control | based authorization Role-based access | Frontend Framework library

My assumption is that you already created/set up your google groups. If not, see this link to Configure Google Groups for RBAC and you must update your cluster to enable RBAC feature.

To update an existing cluster to Enable the Google Groups for RBAC feature, perform the following steps in Google Cloud Console:

1. Go to the Google Kubernetes Engine page in Cloud Console.

2. Go to Google Kubernetes Engine

3. Beside the cluster you want to edit, click more_vert Actions, then click edit Edit.

4. Under the Details tab, for the Google Groups for RBAC field, click edit Edit Google Groups for RBAC.

5. Select the Enable Google Groups for RBAC checkbox.

6. Enter your security group name.

7. Click Save changes.

Primary difference is that Role Assignments is an Azure Subscription thing while App Role Assignments is Microsoft Graph API thing.

You use Role Assignments to assign access to users in your Azure AD to various resources in an Azure Subscription. Based on the role assigned, a user is able to perform activities against the Azure resources in an Azure Subscription.

App Role Assignments is essentially assigning access to users in your Azure AD to the custom roles that you created for your Azure AD application. These roles are essentially custom roles specific to your application (e.g. Administrator, User etc.) and is used in your application code to restrict access to various parts of your application e.g. a user in "Administrator" app role can access admin screens while a user in "User" app role can't.

Looks it is a bug in java SDK, the DocumentDB Account Contributor role is enough to create the database and container as it has the Microsoft.DocumentDb/databaseAccounts/* permission(* is a wildcard, it also includes the Microsoft.DocumentDB/databaseAccounts/readMetadata you mentioned).

When I test to use a service principal with this role to create the database with the powershell New-AzCosmosDBSqlDatabase, it works fine. When using the service principal to run this command, it essentially uses the Azure AD client credential flow to get the token, then uses the token to call the REST API - PUT https://management.azure.com/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.DocumentDB/databaseAccounts/xxxx/sqlDatabases/testdb1?api-version=2020-04-01 to create the database, the java SDK essentially also does the same thing, so it should also work.

This has been resolved after much testing and reading. The issue is that Azure RBAC role definition IDs are not a resource and are not tagged, thus the issue was in the policy Mode:

Tagged resources and locations are processed with Indexed Policy Mode

The error means your user account does not have the permission to create the role assignment, specifically Microsoft.Authorization/roleAssignments/write.

To solve the issue, you need to ask the admin who is the Owner or User Access Administrator(or custom RBAC role with Microsoft.Authorization/roleAssignments/write permission) of your subscription to assign the Owner or User Access Administrator or custom role with the permission above for you at the subscription scope first, follow this link, then get a new token, you will be able to assign the role to others like the admin assign the role to you i.e. create role assignment.

Update:

If you want to get the access token via your user credential, you could use the auth code flow, please follow the steps below.

1.In your App registration, add the user_impersonation Delegated permission of Azure Service Management API.

2.Hit the URL below in the browser, change the tenant-id, client-id, redirect_uri to yours, login your user account.

I think what you are looking for is app roles and appRoleAssignments: https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0&tabs=http. You can define user roles in your app registration manifest, and then assign them through API calls to the endpoint linked above, or through the Azure AD management UI (Enterprise applications -> your app -> Users and groups).

Documentation for app roles: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Example defined role from the above docs:

Now from a logical standpoint if both the users are able to execute */read doesn't Reader role automatically qualify to query the logs?

They are both able to execute */read, but Reader cannot query the logs.

If not, how is it different?

The difference is Monitoring Reader can execute the Microsoft.OperationalInsights/workspaces/search/action and Microsoft.Support/* actions.

Also which role is superior in terms of access to readable data?

From the actions scope of the role definition, obviously the Monitoring Reader is superior in terms of access to readable data.

Based on my test, Microsoft.Web/sites/config/Write is enough.

My custom role for your reference.

It's not supported to use a service principal to elevate access for itself currently.

You need to use another Global Administrator account with elevated access at root scope to do this for a service principal.

In other words, we cannot use the Azure REST API Global Administrator - Elevate Access to accomplish this.

It's recommended to use Azure PowerShell.

A sample for your reference: