AgentSkillsCN

azure-role-selector

帮助用户为身份选择合适的 Azure RBAC 角色,赋予其最低权限访问权限,随后生成 CLI 命令与 Bicep 代码以完成角色分配。 适用场景: “我应该分配什么角色?”、“最低权限角色”、“RBAC 角色用于……”、“用于读取 Blob 的角色”、“用于托管身份的角色”、“自定义角色定义”、“为身份分配角色”。 切勿用于:创建托管身份(使用 Azure Security)、通用安全加固(使用 Azure Security Hardening)、网络权限配置(使用 Azure Networking)。

SKILL.md
--- frontmatter
name: azure-role-selector
description: |
  Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it.
  USE FOR: "what role should I assign", "least privilege role", "RBAC role for", "role to read blobs", "role for managed identity", "custom role definition", "assign role to identity".
  DO NOT USE FOR: creating managed identities (use azure-security), general security hardening (use azure-security-hardening), networking permissions (use azure-networking).

Use the 'azure__documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure__extension_cli_generate' tool to create a custom role definition with the desired permissions. Then use the 'azure__extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure__bicepschema' and 'azure__get_azure_bestpractices' tools to provide a Bicep code snippet for adding the role assignment.