How to create an Azure JIT user RBAC role
When you speak about security on a public cloud environment every single action that can reuce the surface attack should be taken.
Microsoft Azure provide a very good tool that can enable any port on any VM for a single time and a specific IP, it’s called Just In Time access (JIT) and avaible in the Azure Security Center. I suggest you to read this post.
For one of our client, we wanted to allow engineers to be able to request an access themselves instead of opening tickets to support and break the cloud promise to bring services fast as light! Sadly, no singe RBAC roles where present to fulfill this request. Your servitor found the correct actions needed to achieve this goal and you’ll find the Powershell script bellow to help you
FIrst of all, let’s deep dive in how i figured out which rights are need for JIT and the provider associated
To get the provider I used this command first
Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState
That give me the following result
Now it’s easy to figure out what provider is needed as we are talking about security….
Let’s have a look about operations available in this provider
Get-AzureRMProviderOperation microsoft.Security/*
In the huge list, you’ll find 3 operations related to JIT
As i don’t want my users to create new JIT items and/or actions I’ll use only:
- Microsoft.Security/locations/jitNetworkAccessPolicies/read : in order to see the VM listed in Azure Security Center
- Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action : in order to initiate the access request
So now, we have everything we need to create our custom RBAC role using the following PowerShell snippet
Login-AzureRMAccount $role = Get-AzureRmRoleDefinition "Virtual Machine Contributor" $role.Id = $null $role.Name = "Just In Time access User" $role.Description = "Users that can enable access to Virtual Machines." $role.Actions.Clear() $role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/read") $role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action") $role.AssignableScopes.Clear() $role.AssignableScopes.Add("/subscriptions/<sucription_guid>") New-AzureRmRoleDefinition -Role $role
Now, you have your new role and can assign users on it that they can request access as they need to work without waiting for support to enable access đŸ™‚
EDIT
Charbel Nemnom has just published a wonderful script to request a VM access. His script with this role is the perfect combo to grant secure VM access to your users.