Versions Compared

Version Old Version 10 New Version 11
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Keep in mind that you need permissions to create custom Roles, such as to have Owner or User Access Administrator permissions to create custom roles.

1. In the Azure portal, open a subscription or a resource group where you want the custom role is to be assignableassigned to.

2. Open 'Access control (IAM)'. Click Add → Add custom role*. Name the role CloudAware Custom Policy.

...

3.

a) 'Start from scratch'. Open the tab 'the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.

...

Tip

The permission Microsoft.Storage/storageAccounts/listKeys/actiongrants 'read' access to Storage Account Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required as well.

b) 'Start from JSON'. Use the JSON template below. Fill your subscription id in the {subscription_id} field.

Code Block
{
  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default Rolerole Reader does not provide API access to these keys.",
  "Actions": [
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Storage/storageAccounts/listKeys/action"
  ],
  "notActions": [],
  "assignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}
Tip

The permission Microsoft.Storage/storageAccounts/listKeys/actiongrants 'read' access to Storage Account Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required as well.

Read more

Commonly used Azure built-in roles:

Built-in Role

ID

Reader

acdd72a7-3385-48ef-bd42-f606fba81ae7

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Virtual Machine Contributor

d73bb868-a0df-4d4d-bd69-98a00b01fccb

Virtual Network Contributor

b34d265f-36f7-4a0d-a4d4-e158ca92e90f

Storage Account Contributor

86e8f5dc-a6e9-4c67-9d15-de283e8eac25

Web Plan Contributor

2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b

SQL server Contributor

6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

SQL DB Contributor

9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

Read more

*c) 'Clone a role'.

In case a custom role already exists in your environment, its JSON body should look like the template below:

...

Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy Role role is required, your Technical Account manager will provide you with instructions on how to perform this action.

Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a Role role and time when this Role role becomes available.