| Info |
|---|
The Azure |
...
built-in Role |
...
"Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom role should be created |
...
. |
Name the new role - CloudAware Custom Policy. This role will use List Keys action that grant read access:
...
| Code Block |
|---|
{
"IsCustom": true,
"Name": "CloudAware Collector Extended",
"Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
"Actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"assignableScopes": [
"/subscriptions/{subscription_id}"
]
} |
Here are the well-known guides samples of commonly used built-in roles:
...
Then you will need to assign this custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place.
| Note |
|---|
By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification. |
Updating an Existing Cloudaware Custom Policy
Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes available.