After Lab 1.3 — Recap
After Lab 1.3 — Recap
In Lab 1.3, you changed the access model.
The goal was to remove excessive access and add the correct permission.
Before the fix
The backend managed identity had:
Contributor
at resource group scopeThis allowed too many management-plane actions.
But it still did not provide the correct data-plane access to read Key Vault secrets.
After the fix
The backend managed identity should now have a more specific role assignment.
Example:
Key Vault Secrets User
at Key Vault scopeThis better matches the actual task of the backend application.
Before and after
Expected result
| Endpoint | Before fix | After fix |
|---|---|---|
/api/impact-demo/tag-self | Works | Fails |
/api/secret-demo | Fails | Works |
Screenshot placeholders
Screenshot suggestion
Add a screenshot of /api/impact-demo/tag-self after the fix.
Expected result:
Failure, forbidden, unauthorized, or equivalent errorThe goal is to show that the unnecessary management-plane action is blocked.
Screenshot suggestion
Add a screenshot of /api/secret-demo after the fix.
Expected result:
SuccessBe careful not to expose a real secret value in teaching material.
You can mask the value or use a fake demo secret.
Key lesson
A secure permission model is not just smaller.
It is more accurate.
right identity
+ right role
+ right scope
+ right reasonWhat we improved
We reduced:
- unnecessary management-plane access
- broad resource group permissions
- the blast radius of a compromised backend
- dependency on trust
We improved:
- task-specific access
- separation between application access and infrastructure management
- alignment with least privilege
Why this matters in real environments
In real cloud environments, teams often start with broad permissions because they are easy.
But broad permissions create long-term risk.
A better model is designed around the actual task:
What does this identity need to do?
Which exact role supports that task?
What is the narrowest useful scope?
How can we test that the model still works?Bridge to Lab 1.4
In the final Day 1 lab, we step back from the technical fix.
We will translate the RBAC change into a simple Zero Trust access model.