KubeQuest

Appearance

Lab 02: CLI/PowerShell Solutions

Prerequisites

powershell
# Login to Azure
az login
az account set --subscription "Your-Subscription-Name"

# Get your subscription ID
$subId = az account show --query id -o tsv

Pre-Lab Setup

powershell
# Create resource groups
az group create --name rg-project-dev --location eastus
az group create --name rg-project-prod --location eastus

# Create storage account (name must be globally unique)
$storageName = "stprojectdev$(Get-Random -Maximum 99999)"
az storage account create `
    --name $storageName `
    --resource-group rg-project-dev `
    --location eastus `
    --sku Standard_LRS

# Create container
az storage container create `
    --name documents `
    --account-name $storageName

# Upload test file
echo "test content" > testfile.txt
az storage blob upload `
    --account-name $storageName `
    --container-name documents `
    --file testfile.txt `
    --name testfile.txt

# Create Key Vault
$kvName = "kv-project-dev-$(Get-Random -Maximum 99999)"
az keyvault create `
    --name $kvName `
    --resource-group rg-project-dev `
    --location eastus `
    --enable-rbac-authorization true

# Create secret
az keyvault secret set `
    --vault-name $kvName `
    --name ApiKey `
    --value "test-secret-123"

Task 1: View Role Definitions

powershell
# List all role assignments at subscription level
az role assignment list --scope "/subscriptions/$subId" -o table

# View Contributor role definition
az role definition list --name "Contributor" --output json

# Compare roles
az role definition list --name "Reader" --query "[0].permissions[0]"
az role definition list --name "Contributor" --query "[0].permissions[0]"
az role definition list --name "Owner" --query "[0].permissions[0]"

Task 2: Assign Reader Role

powershell
# Get user's object ID
$userUpn = "devuser@yourdomain.onmicrosoft.com"
$userId = az ad user show --id $userUpn --query id -o tsv

# Get resource group ID
$rgId = az group show --name rg-project-dev --query id -o tsv

# Assign Reader role
az role assignment create `
    --assignee $userId `
    --role "Reader" `
    --scope $rgId

# Verify assignment
az role assignment list --assignee $userId -o table

# Check if user has access to prod (should return empty)
az role assignment list `
    --assignee $userId `
    --scope $(az group show --name rg-project-prod --query id -o tsv)

Task 3: Assign Data Plane Role

powershell
# Get storage account resource ID
$storageId = az storage account show `
    --name $storageName `
    --resource-group rg-project-dev `
    --query id -o tsv

# Assign Storage Blob Data Reader
az role assignment create `
    --assignee $userId `
    --role "Storage Blob Data Reader" `
    --scope $storageId

# List user's roles (should show both Reader and Blob Data Reader)
az role assignment list --assignee $userId -o table

Task 4: Assign Contributor Role

powershell
# Create developer user
$devUserUpn = "developer@yourdomain.onmicrosoft.com"
az ad user create `
    --display-name "Developer User" `
    --user-principal-name $devUserUpn `
    --password "DevP@ss123!"

$devUserId = az ad user show --id $devUserUpn --query id -o tsv

# Assign Contributor to dev resource group
az role assignment create `
    --assignee $devUserId `
    --role "Contributor" `
    --scope $rgId

Task 5: Key Vault RBAC

powershell
# Get Key Vault resource ID
$kvId = az keyvault show --name $kvName --query id -o tsv

# Assign Key Vault Secrets User
az role assignment create `
    --assignee $userId `
    --role "Key Vault Secrets User" `
    --scope $kvId

# Verify by listing secrets (as the assigned user)
# Note: This requires signing in as that user
az keyvault secret show --vault-name $kvName --name ApiKey

Task 6: Create Custom Role

powershell
# Create custom role JSON definition
$customRole = @"
{
    "Name": "Virtual Machine Operator",
    "Description": "Can start, stop, and restart VMs. Cannot create or delete.",
    "Actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/powerOff/action",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Network/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/$subId"
    ]
}
"@

# Save to file
$customRole | Out-File -FilePath "vm-operator-role.json" -Encoding utf8

# Create the role
az role definition create --role-definition vm-operator-role.json

# Verify creation
az role definition list --name "Virtual Machine Operator"

# Assign custom role
az role assignment create `
    --assignee $userId `
    --role "Virtual Machine Operator" `
    --scope $rgId

Task 9: Audit and Cleanup

powershell
# View activity log for role operations (last 7 days)
az monitor activity-log list `
    --start-time (Get-Date).AddDays(-7).ToString("yyyy-MM-dd") `
    --query "[?contains(operationName.value, 'roleAssignment')]" `
    -o table

# Export role assignments to CSV
az role assignment list --all -o tsv > role-assignments.csv

# Remove specific role assignment
az role assignment delete `
    --assignee $userId `
    --role "Reader" `
    --scope $rgId

# Remove all assignments for a user
$assignments = az role assignment list --assignee $userId -o json | ConvertFrom-Json
foreach ($assignment in $assignments) {
    az role assignment delete --ids $assignment.id
}

# Delete custom role
az role definition delete --name "Virtual Machine Operator"

Full Cleanup Script

powershell
# Remove all test users
$testUsers = @(
    "devuser@yourdomain.onmicrosoft.com",
    "developer@yourdomain.onmicrosoft.com"
)

foreach ($user in $testUsers) {
    Write-Host "Removing assignments for: $user"
    $id = az ad user show --id $user --query id -o tsv 2>$null
    if ($id) {
        # Remove all role assignments
        az role assignment delete --assignee $id --yes 2>$null
        # Delete user
        az ad user delete --id $user 2>$null
    }
}

# Delete custom role
az role definition delete --name "Virtual Machine Operator" 2>$null

# Delete resource groups (this deletes all contained resources)
az group delete --name rg-project-dev --yes --no-wait
az group delete --name rg-project-prod --yes --no-wait

# Clean up local files
Remove-Item vm-operator-role.json -ErrorAction SilentlyContinue
Remove-Item testfile.txt -ErrorAction SilentlyContinue
Remove-Item role-assignments.csv -ErrorAction SilentlyContinue

Write-Host "Cleanup complete!"

Useful Commands Reference

powershell
# List all built-in roles
az role definition list --query "[?roleType=='BuiltInRole'].roleName" -o tsv

# Find roles with specific permission
az role definition list --query "[?contains(permissions[0].actions, 'Microsoft.Storage')]" -o table

# Check effective permissions for a user at a scope
az role assignment list --assignee $userId --scope $rgId --include-inherited -o table

# List all custom roles
az role definition list --custom-role-only true -o table

Released under the MIT License.

Copyright © 2026 OpsAlchemy