Azure role-based access control (Azure RBAC) helps us manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. When we give permissions to custom roles, it is preferred to complete specific tasks with the least rights. However, it is often the case to be confused about which permissions are necessary. Thus, this article will give instructions on how to find out required permissions for custom roles by F12 trace log.
In this article, we will take how to assign efficient rights to developers when swapping slots as an example.
Firstly, the co-developers should have the read rights to the App service.
Secondly, to realize the swapping function obviously requires the swap rights.
With these settings, when we check the App service page with the co-developer account, we will find that the swap button is inaccessible grey. At this time, we can use the F12 developer tool to catch the trace log. There are two 403 errors as below, which are related to permissions about the config/list.
Go back to the owner account of the App service.
Find out the missing permissions and add them to the custom role.
Relog in with the co-developer account and check again. The swap button is available and no errors on this page now.
To test whether the swap works, click on the swap page but a new alarm shows up.
Check back in the F12 log and find that the missing permission is about slotsdiffs now.
Go ahead to add the specific permissions to the custom role again by following the previous steps and checking back with no error logs.
Finally, the custom role for the co-developer to swap slots functions successfully.
With the previous steps, we have found out that the following permissions are necessary for developers to swap slots in total.