| Info |
|---|
The Azure built-in Role "Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom role Role should be created. |
| Table of Contents |
|---|
Create a Custom Role
Keep in mind that you need permissions to create custom rolesRoles, such as Owner or User Access Administrator
...
1. In the Azure portal, open a subscription or resource group where you want the custom role Role to be assignable.
2. Open Access Open 'Access control (IAM)'. Click Add and then click → Add custom roleRole*. 3. Name the new role Role CloudAware Custom Policy.
...
43. Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.
...
| Tip |
|---|
If you are planning to install Breeze Agent, add |
5. Select 'Start from JSON'. Use the JSON template below. Fill your subscription id in the subscription-Id field{subscription_id} field.
| Code Block |
|---|
{
"IsCustom": true,
"Name": "CloudAware Collector Extended",
"Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default roleRole Reader does not provide API access to these keys.",
"Actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"assignableScopes": [
"/subscriptions/{subscription_id}"
]
} |
...
| Tip |
|---|
The permission If you are planning to install Breeze Agent, the permission |
Commonly used Azure built-in roles:
Built-in Role |
|---|
...
ID |
|---|
Reader |
...
|
...
Contributor |
...
|
...
Virtual |
...
Machine |
...
Contributor |
...
|
...
Virtual |
...
Network |
...
Contributor |
...
|
...
Storage |
...
Account |
...
Contributor |
...
|
...
Web Plan Contributor |
|
...
SQL |
...
server Contributor |
|
...
SQL |
...
DB |
...
Contributor |
...
|
*In case a custom role Role already exists , you can use it as well. JSON body of your role in your environment, its JSON body should look like the template below. Replace {your-existing-role-definition-id} with your role definition id. In “assignableScopes” section add string"/subscriptions/{subscription-id}" with your {subscription-id}.:
| Code Block |
|---|
{
"name": "{your-existing-roleRole-definition-id}",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": []
}
],
"AssignableScopes": [
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}"
],
"roleNameRoleName": "{your-roleRole-name}",
"roleTypeRoleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitionsRoleDefinitions"
} |
Then you will need to assign this custom role Replace {your-existing-Role-definition-id} with your Role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.
4. Assign the custom Role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.
Creating a custom role Custom Role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place.
...
Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role Role already exists, you can update this role Role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role Role is required, your Technical Account manager will provide you with instructions on how to perform this action.
Creating a custom role Custom Role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role Role and time when this role Role becomes available.