Hi I would need to grant users access to app gateway so that they can create, update, or delete listeners, rules, etc. It looks like they would need a network contributor role, but that will leave them with the ability to potentially delete networks and app gateway. Is that the case? What roles and permissions are needed to achieve this?
They would also need access to the key vault (secrets and certificates that I believe kv officer roles would be sufficient, I think).
I appreciate your help
As per this the role would be Microsoft.Network/virtualNetworks/subnets/join/action
Since the application gateway resource is deployed inside a virtual network, we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations. You should check your Azure role-based access control to verify the users (and service principals) that operate application gateways also have at least Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. This validation also applies to the Managed Identities for Application Gateway Ingress Controller.
My recommendation would be try adding a new custom role with below permission
Microsoft.Network/applicationGateways/*
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/*
Then, try to test your role by doing the operations on the portal.Lets say if you don't have enough permission, you will get an error telling you what permissions are missing. Using that, you can enhance the custom role by providing additional permissions
I assume your virtual network/appgateway is in the same RG if so you can assign this role to that particular RG for the least privilege. Else you have to assign the role to the appropriate scope where your app gateway and vnet resource resides
For keyvualt you can use the 2 below builtin roles
Key Vault Secrets Officer
Key Vault Certificates Officer