1# Role Assignment Verification
2 
3Verify that all RBAC role assignments in the generated infrastructure are correct and sufficient before deployment. Incorrect or missing roles are a common cause of runtime failures.
4 
5## When to Verify
6 
7After build verification (step 4) and **before** recording proof (step 6). Role issues surface as cryptic auth errors during deployment — catching them here saves debugging time.
8 
9## Verification Checklist
10 
11Review every resource-to-identity relationship in the generated Bicep/Terraform:
12 
13| Check | How |
14|-------|-----|
15| **Every service identity has roles** | Each app with a managed identity must have at least one role assignment |
16| **Roles match data operations** | Use service-specific **data-plane** roles for data access (see mapping table below); use generic Reader/Contributor/Owner only for management-plane operations |
17| **Scope is least privilege** | Roles scoped to specific resources, not resource groups or subscriptions |
18| **No missing roles** | Cross-check app code operations against assigned roles (see table below) |
19| **Local dev identity has roles** | If testing locally, the user's identity needs equivalent roles via `az login` |
20 
21## Common Service-to-Role Mapping
22 
23| Service Operation | Required Role | Common Mistake |
24|-------------------|---------------|----------------|
25| Read blobs | Storage Blob Data Reader | Using generic Reader (no data access) |
26| Read + write blobs | Storage Blob Data Contributor | Missing write permission |
27| Generate SAS via user delegation | Storage Blob Delegator + Data Reader/Contributor | Forgetting Delegator role |
28| Read Key Vault secrets | Key Vault Secrets User | Using Key Vault Reader (no secret access) |
29| Read + write Cosmos DB | Cosmos DB Built-in Data Contributor | Using generic Contributor |
30| Send Service Bus messages | Azure Service Bus Data Sender | Using generic Contributor |
31| Read queues | Storage Queue Data Reader | Using Blob role for queues |
32 
33## How to Verify (Static Code Review)
34 
35Review the generated Bicep/Terraform files directly — do **not** query live Azure state here. For each role assignment resource in your infrastructure code:
36 
371. Identify the **principal** (which managed identity)
382. Identify the **role** (which role definition)
393. Identify the **scope** (which target resource)
404. Cross-check against the app code to confirm the role grants the required data-plane access
41 
42> 💡 **Tip:** Search your Bicep for `Microsoft.Authorization/roleAssignments` or your Terraform for `azurerm_role_assignment` to find all role assignments.
43 
44> ⚠️ **Live role verification** (querying Azure for actually provisioned roles) is handled by **azure-deploy** step 8 as a post-deployment check. This step is a static code review only.
45 
46## Decision Tree
47 
48```
49For each app identity in the generated infrastructure:
50├── Has role assignments?
51│   ├── No → Add required role assignments to Bicep/Terraform
52│   └── Yes → Check each role:
53│       ├── Role matches code operations? → ✅ OK
54│       ├── Role too broad? → Narrow to least privilege
55│       └── Role insufficient? → Upgrade or add missing role
56│
57For local testing:
58├── User identity has equivalent roles?
59│   ├── No → Grant roles via CLI or inform user
60│   └── Yes → ✅ Ready for functional verification
61```
62 
63> ⚠️ **Warning:** Generic roles like `Contributor` or `Reader` do **not** include data-plane access. For example, `Contributor` on a Storage Account cannot read blobs — you need `Storage Blob Data Contributor`. This is the most common RBAC mistake.
64 
65## Record in Plan
66 
67After role verification, update `.azure/deployment-plan.md`:
68 
69```markdown
70## Role Assignment Verification
71- Status: Verified / Issues Found
72- Identities checked: <list of app identities>
73- Roles confirmed: <list of role assignments>
74- Issues: <any missing or incorrect roles fixed>
75```
76