Azure Automation Privileges

0
votes

I have two subscriptions.

On one subscription I run logic apps and on the logic apps I have azure functions.

The other subscription contain target resources for the automation via logic apps and azure functions.

In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc

Do I need to run the logic app using an account that has owner permissions on both the subscriptions?

Regards, Kelly

1
azureazure-functionsazure-logic-appsazure-automationazure-rbac

1 Answers

1
votes

Its best to use a service principal for having centralized access control.

With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.

logic apps arm connector with service principal

Another option would be to use Managed Identity, but that is supported only for the HTTP Action.

Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.

As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.

You could also provision finer access to resources by creating custom roles.