azure-role-selector
Recommend least-privilege Azure RBAC roles for deployed resources. Finds minimal built-in roles matching desired permissions or creates custom role definitions. Use during security analysis or when configuring access for service principals and managed identities.
Install
mkdir -p .claude/skills/azure-role-selector-weiflycc-cmd && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14959" && unzip -o skill.zip -d .claude/skills/azure-role-selector-weiflycc-cmd && rm skill.zipInstalls to .claude/skills/azure-role-selector-weiflycc-cmd
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Recommend least-privilege Azure RBAC roles for deployed resources. Finds minimal built-in roles matching desired permissions or creates custom role definitions. Use during security analysis or when configuring access for service principals and managed identities.About this skill
Azure Role Selector
Recommend the most appropriate Azure RBAC roles following the principle of least privilege. Find minimal built-in roles or define custom roles when needed.
Adapted from github/awesome-copilot azure-role-selector skill.
When to Use
- When deploying resources that need RBAC assignments
- When configuring managed identity access between resources
- When setting up service principals for CI/CD pipelines
- During security analysis to verify correct role assignments
- When user asks "what role do I need for X?"
Procedure
1. Understand Required Permissions
Ask the user what actions they need to perform:
What permissions do you need? Examples:
- "Read and write blobs in a storage account"
- "Deploy code to a Function App"
- "Read secrets from Key Vault"
- "Manage SQL databases"
- "Full access to a resource group"
2. Search for Built-In Roles
Use Azure MCP documentation tools to find matching built-in roles:
# List relevant built-in roles
az role definition list \
--query "[?contains(roleName, '{keyword}')].{Name:roleName, Description:description, Id:name}" \
--output table
# Get detailed permissions for a role
az role definition list \
--name "{role-name}" \
--output json
Cross-reference with Microsoft Docs for the latest role definitions.
3. Recommend Least-Privilege Role
Present the recommended role(s) in order of least privilege:
## Role Recommendation
**Desired:** Read and write blobs in storage account starnwkdhk
### Recommended Role (Least Privilege)
| Property | Value |
|----------|-------|
| **Role** | Storage Blob Data Contributor |
| **ID** | ba92f5b4-2d11-453d-a403-e96b0029c9fe |
| **Scope** | Storage Account level |
| **Permissions** | Read, write, delete blobs and containers |
### Alternatives (More Permissive)
| Role | Extra Permissions | Use When |
|------|-------------------|----------|
| Storage Account Contributor | Full account management | Need to manage account settings too |
| Contributor | Full resource management | Need broad access (not recommended) |
### ⚠️ Avoid These (Over-Privileged)
- **Owner** — Grants RBAC management, not needed for data access
- **Contributor** at subscription level — Too broad for storage-only needs
4. Generate Assignment Commands
Provide ready-to-use commands:
Azure CLI:
# Assign role to managed identity
az role assignment create \
--assignee {principal-id} \
--role "Storage Blob Data Contributor" \
--scope /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{name}
# Assign role to service principal
az role assignment create \
--assignee {app-id} \
--role "Storage Blob Data Contributor" \
--scope {resource-id}
ARM Template (for inclusion in deployment):
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', '{name}'), '{principal-id}', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', '{name}')]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "{principal-id}",
"principalType": "ServicePrincipal"
}
}
5. Custom Role (If No Built-In Matches)
If no built-in role matches the exact permissions needed:
# Create custom role definition
az role definition create --role-definition '{
"Name": "Custom Storage Reader Writer",
"Description": "Can read and write blobs but not delete",
"Actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"NotActions": [],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/{sub-id}"]
}'
Common Role Mappings
| Resource | Action | Recommended Role |
|---|---|---|
| Storage | Read/write blobs | Storage Blob Data Contributor |
| Storage | Read blobs only | Storage Blob Data Reader |
| Key Vault | Read secrets | Key Vault Secrets User |
| Key Vault | Manage secrets | Key Vault Secrets Officer |
| SQL Database | Read data | SQL DB Contributor |
| Function App | Deploy code | Website Contributor |
| App Service | Deploy code | Website Contributor |
| Cosmos DB | Read/write data | Cosmos DB Account Reader Role |
| Resource Group | Full management | Contributor (scoped to RG) |
| Monitoring | Read metrics | Monitoring Reader |
Integration with Git-Ape
When the template generator creates resources with managed identities, invoke this skill to:
- Identify what roles the managed identity needs
- Add role assignment resources to the ARM template
- Follow least-privilege principle automatically