RBAC role for Tagging only
Please create a new RBAC roles for "Tag Contributor" and "Tag Reader"
We currently have no way to restrict a service account to be able to automatically add tags to resources without granting the service account "Contributor" rights on all our subscriptions. Huge security concern.

2 comments
-
Rene Løhde commented
Could we rephrase this as "Implement Resource Provider Operations (Actions) for Tag on each of the Azure resources" ...I am guesssing that this issue is due to the top-level implementation of the Tag-action at the subscription level:
Microsoft.Resources/subscriptions/tagNames/read
Microsoft.Resources/subscriptions/tagNames/write
Microsoft.Resources/subscriptions/tagNames/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/read
Microsoft.Resources/subscriptions/tagNames/tagValues/writeWhere-as, what is really needed to gain granular control is somthing like:
Microsoft.Compute/virtualMachines/tagNames/*
Microsoft.Compute/virtualMachines/tagNames/tagValues/*
...
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/*
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/tagValues/*
...Additional use-cases: Role that can start/stop VM and change tags (with-out having to allow for "Microsoft.Compute/virtualMachines/write" in the custom role)
-
AK commented
Agreed, we cannot promote governance and cost-control properly if we have no control over tag changes.