What is the proper approach to providing to an Azure Function granular, least-privilege access to specific Azure resources in Serverless? For AWS, this is implemented using the iamRoleStatements block in serverless.yml, which provides Lambda functions in the service/stack access to specific operations/actions on specific resources by ARN (for example, writing to an S3 bucket or DynamoDB table).
Azure has the concept of a “Service Principle”, which seems to provide general ability to create resources and deploy them. But there is also the more granular concept of Role-Based Access Control and the more recent capability provided by Managed Service Identities (MSI). The following article explains how MSIs can be implemented generally using the Azure Portal, but is this something that can be done via Serverless?
Is this even the right approach?
I have been using the Serverless Framework with AWS and being able to create an manage the permissions for the Lambda functions within the YAML is great.
I am now looking at developing with Azure functions using the Serverless Framework, but I can’t see how to customise the RBAC roles or create RBAC roles as a custom resource. For example, what’s the most convenient way to give the Azure function code permission to write to a Cosmos DB database?
So I just wondered what approach you used in the end?
Facing similar problems. I would like to assign different role-definitions (roles) to azure functions, so that principle of least priviledges can be followed effectively. With serverless framework, i can’t find any way to assign function wise roles for Azure(but same can be done with AWS lambda functions). Does serverless already has something to acheive this, OR they will be developing/not developing it in future. Any suggestions here will be very helpful. Thanks.