- Home
- Skills
- Github
- Awesome Copilot
- Azure Role Selector
azure-role-selector_skill
- JavaScript
- Official
19.4k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill github/awesome-copilot --skill azure-role-selector- LICENSE.txt1.1 KB
- SKILL.md983 B
Overview
This skill helps you choose the least-privilege Azure role for an identity based on the exact permissions you need and produces the commands and infrastructure-as-code snippet to apply it. It identifies built-in roles that match your requirements or creates a custom role when necessary. It also generates Azure CLI commands and a Bicep code example for the role assignment.
How this skill works
You describe the actions or resource permissions the identity needs and the skill searches role definitions to find the minimal built-in role that covers those permissions. If no built-in role matches exactly, the skill constructs a custom role definition with only the requested permissions. Finally, it generates the Azure CLI commands to create/assign the role and provides a ready-to-use Bicep snippet to add the role assignment in infrastructure code.
When to use it
- Granting an identity access with least privilege to specific Azure resources
- Verifying whether a built-in role is sufficient before creating a custom role
- Preparing CLI commands for manual deployment or scripts
- Embedding role assignments in Bicep templates for automated deployments
- Auditing and reducing over-permissive role assignments
Best practices
- Aim to use built-in roles when they exactly match required permissions to avoid custom role maintenance
- Document the purpose and scope (scope, principalId) when creating custom roles
- Limit role scope to the smallest resource or resource group necessary
- Test custom roles in a non-production subscription before wide rollout
- Rotate and review role assignments regularly and remove unused identities
Example use cases
- Assigning read-only access to a specific storage account for a CI pipeline identity
- Providing VM start/stop permissions to an automation identity without full contributor rights
- Creating a custom role that allows only specific Key Vault secret operations for an app
- Generating Azure CLI commands to script role assignment as part of a deployment job
- Adding a role assignment to a Bicep module to ensure infra-as-code manages access
FAQ
If a built-in role grants extra permissions beyond your requirements, the skill will recommend creating a custom role limited to only the requested actions.
Will the generated Bicep snippet include principal identifiers?
Yes. The Bicep snippet includes placeholders for principalId and the specific scope so you can replace them with your identity and deployment context.
Can this handle role assignments at subscription and resource group scopes?
Yes. The skill supports generating role definitions and assignments scoped to subscription, resource group, or individual resources as requested.