azure-rbac
Find minimal Azure RBAC roles, generate assignment commands, and provide Bicep infrastructure code.
- Identifies built-in roles matching desired permissions using Azure documentation, or generates custom role definitions when no built-in role fits
- Produces Azure CLI commands and Bicep code snippets for role assignments to identities, managed identities, and service principals
- Documents prerequisites for granting roles, including required permissions and recommended least-privilege role options (User Access Administrator, Owner, or custom roles with
Microsoft.Authorization/roleAssignments/write) - Supports common scenarios: least-privilege access, blob storage roles, managed identity permissions, and custom role creation
Use the 'azure__documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure__extension_cli_generate' tool to create a custom role definition with the desired permissions. Then use the 'azure__extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure__bicepschema' and 'azure__get_azure_bestpractices' tools to provide a Bicep code snippet for adding the role assignment. If user is asking about role necessary to set access, refer to Prerequisites for Granting Roles down below:
Prerequisites for Granting Roles
To assign RBAC roles to identities, you need a role that includes the Microsoft.Authorization/roleAssignments/write permission. The most common roles with this permission are:
- User Access Administrator (least privilege - recommended for role assignment only)
- Owner (full access including role assignment)
- Custom Role with
Microsoft.Authorization/roleAssignments/write