| Info |
|---|
The article explains how to create a custom role for Cloudaware in Microsoft Azure. The built-in role "Reader" “Reader” may not have required permissions for Cloudaware, for example, it has no , such as default access to the Storage Account keys which are required necessary for collecting data about VHDs, therefore a custom role should be created. |
| Table of Contents |
|---|
Custom Role For Storage Account Keys Access
You need to have be Owner or User Access Administrator permissions in Microsoft Azure to create custom roles.
| Table of Contents | ||
|---|---|---|
|
Create role for Storage Account Keys access
1. In the Azure portal, open a subscription or a resource group where a custom role is to be assigned to.
...
3. Select one of the following options to proceed:
a) 'Start from scratch'.
Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.
...
Click Add.
| Tip |
|---|
The permission If you are planning to install Breeze Agent, the permission |
b) 'Start from JSON'.
Use the JSON template below to create a file. Fill your subscription id in the {subscription_id} field.
...
Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.
4. Assign the If you add a native application, assign the created custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API. If you add a Web app/API, assign the role to the application.
Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the role creation and the time when this role becomes available.
5. Open the tab 'Review + Create'. Check the role details and click Create.
...
Create custom role for tagging
| Anchor | ||||
|---|---|---|---|---|
|
Another use case for creating Create a custom role is a necessity to provide Cloudaware with minimum permissions for tagging Azure resources.:
| Code Block |
|---|
"properties": {
"roleName": "{your-Role-name}",
"description": "{your-Role-description}",
"assignableScopes": [
"/subscriptions/{subscription-id}",
],
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/tagNames/read",
"Microsoft.Resources/subscriptions/tagNames/write",
"Microsoft.Resources/subscriptions/tagNames/delete",
"Microsoft.Resources/subscriptions/tagNames/tagValues/read",
"Microsoft.Resources/subscriptions/tagNames/tagValues/write",
"Microsoft.Resources/subscriptions/tagNames/tagValues/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/tags/write",
"Microsoft.Resources/tags/delete",
"Microsoft.Resources/tags/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
} |
Replace {your-Role-name}, {your-Role-description} and {subscription-id} with corresponding values from your Azure environment.
Update
...
existing Cloudaware custom policy
Cloudaware may regularly introduce new capabilities which require addition of requiring new actions and permissions. In cases If a Cloudaware custom role already exists, you can update this role it without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.
Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the role creation of a role and the time when this role becomes available.