question

SysAdmin-3492 avatar image
0 Votes"
SysAdmin-3492 asked PitawatNantamanop-3754 commented

Regarding RBAC role & scope for creating static web apps

A user in our organization needs to create static web apps in Azure. Please let us know the appropriate RBAC role and scope which can be assigned for that user.

azure-rbacazure-static-web-apps
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
0 Votes"
ryanchill answered PitawatNantamanop-3754 commented

Hi @SysAdmin-3492,

If you are looking for least privileged, then Website contributor should be fine; see https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor. You don't need to create a separate app service plan when creating a Static Web App. You can apply this at the subscription level or at the resource group level.

Regards,
Ryan

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Ryanchill,
Greetings of the day!! Hope you are doing well..

                   I assigned the 'Website Contributor' IAM role as suggested by you for the user's ID, both at Resource Group level as well as Subscription level. But the user is getting an error in the 'Basics' section while trying to name the Static Web App (Preview) resource :-

"The client 'XXXX@XXXX.com' with object id 'XXXXXX-XXXX-XXXX-XXXXX' does not have authorization to perform action 'Microsoft.Web/staticsites/read' over scope '/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/XXXX/providers/Microsoft.Web/staticsites/saszf' or the scope is invalid. If access was recently granted, please refresh your credentials. "

Please help.

Thanks & Regards,
SysAdmin-3492




0 Votes 0 ·

Apologies for the delayed response @SysAdmin-3492. I've heard back from the product team and try applying Microsoft.Web/staticSites/Write. This is not documented since Static Web Sites is still preview. Please do let me know if this works or not.

{
    "Name": "Microsoft.Web/staticSites/Write",
    "Display": {
      "Provider": "Microsoft Web Apps",
      "Resource": "Static Site",
      "Operation": "Create or Update Static Site",
      "Description": "Create a new Static Site or update an existing one"
    },
    "Origin": "user,system"
  },

0 Votes 0 ·

Hi @ryanchill ,

Given that Azure Static Web Apps is now generally available, what is the appropriate RBAC role to assign to a user so that they can create and manage Static Web Sites?

Under a resource group, in the "Add role assignment" page, I searched for a term "static" and no results came up.

Thanks.

0 Votes 0 ·