fix(azure): custom Prowler Role for Azure assignableScopes (#6149)

prowler-cloud · Dec 16, 2024 · 9d7499b · 9d7499b
1 parent 5b0b85c
commit 9d7499b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/docs/getting-started/requirements.md b/docs/getting-started/requirements.md
@@ -73,6 +73,8 @@ To use each one you need to pass the proper flag to the execution. Prowler for A
 - **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool. It is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
     - `Reader`
     - `ProwlerRole` (custom role defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json))
+    ???+ note
+        Please, notice that the field `assignableScopes` in the JSON custom role file must be changed to be the subscription or management group where the role is going to be assigned. The valid formats for the field are `/subscriptions/<subscription-id>` or `/providers/Microsoft.Management/managementGroups/<management-group-id>`.
 
 To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.
 

diff --git a/permissions/prowler-azure-custom-role.json b/permissions/prowler-azure-custom-role.json
@@ -3,7 +3,7 @@
     "roleName": "ProwlerRole",
     "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
     "assignableScopes": [
-      "/"
+      "/{'subscriptions', 'providers/Microsoft.Management/managementGroups'}/{Your Subscription or Management Group ID}"
     ],
     "permissions": [
       {