For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-azure-role-definition-allows-custom-role-creation.md. A documentation index is available at /llms.txt.

Role definition allows custom role creation

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-azure-role-definition-allows-custom-role-creation

Provider: Azure

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

Role definitions must not grant the ability to create or modify other role definitions (Microsoft.Authorization/roleDefinitions/write). This capability enables privilege escalation and persistent unauthorized access by allowing creation of custom roles with elevated permissions.

In Ansible playbooks using the azure.azcollection.azure_rm_roledefinition or azure_rm_roledefinition modules, the permissions[].actions array must not include the literal action Microsoft.Authorization/roleDefinitions/write and must not be a wildcard (*). This rule flags tasks where permissions.actions is ["*"] or contains Microsoft.Authorization/roleDefinitions/write. Ensure the actions list contains only the specific, least-privilege actions required for the role.

Secure example with no role-definition write permission:

- name: example role
  azure.azcollection.azure_rm_roledefinition:
    name: customReadOnlyRole
    scope: /subscriptions/00000000-0000-0000-0000-000000000000
    permissions:
      - actions:
          - "Microsoft.Storage/storageAccounts/read"
          - "Microsoft.Compute/virtualMachines/read"

Compliant Code Examples

---
- name: Create a role definition3
  azure_rm_roledefinition:
    name: myTestRole3
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Non-Compliant Code Examples

---
- name: Create a role definition
  azure_rm_roledefinition:
    name: myTestRole
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "Microsoft.Authorization/roleDefinitions/write"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

---
- name: Create a role definition2
  azure_rm_roledefinition:
    name: myTestRole2
    scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup
    permissions:
      - actions:
          - "*"
    assignable_scopes:
      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"