Versions Compared

Version Old Version 14 New Version Current
Changes made by

Daria Lebedeva

Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The Azure This article explains how to create a custom role for Cloudaware in Microsoft Azure. You need be Owner or User Access Administrator in Microsoft Azure to create custom roles.

Table of Contents
stylenone

Create role for Storage Account keys access

The built-in

...

role "Reader"

...

may not have required permissions, such as default access to the Storage Account keys

...

necessary for collecting data about VHDs

...

.

...

Table of Contents

...

You need to have Owner or User Access Administrator permissions to create custom roles.

1. In the Azure portal, open select a subscription or a resource group where a custom role is should to be assigned to.

2. Open 'Access control (IAM)'. Click Add → Add custom role. Name the role CloudAware Cloudaware Custom Policy.

...

3. Select one of the following options to proceed:

a) 'Start from scratch'.

Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.

...

Click Add.

Tip

The permission Microsoft.Storage/storageAccounts/listKeys/action grants 'read' access to Storage Account Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required for this custom role as well.

b) 'Start from JSON'.

Use the JSON template below to create a file. Fill your subscription id in the {subscription_id} field.

...

*Commonly used Azure built-in roles:

Built-in Role

ID

Reader

acdd72a7-3385-48ef-bd42-f606fba81ae7

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Virtual Machine Contributor

d73bb868-a0df-4d4d-bd69-98a00b01fccb

Virtual Network Contributor

b34d265f-36f7-4a0d-a4d4-e158ca92e90f

Storage Account Contributor

86e8f5dc-a6e9-4c67-9d15-de283e8eac25

Web Plan Contributor

2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b

SQL server Contributor

6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

SQL DB Contributor

9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

Read more

Open the tab 'JSON' to check and modify the permissions as (see 3 a) if necessary. The JSON body of the existing role should look like in the template below:

Code Block
{
  "name": "{your-existing-Role-definition-id}",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/extensions/write",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": []
    }
  ],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}",
     "/subscriptions/{subscription-id}",
    "/subscriptions/{subscription-id}"
  ],
  "RoleName": "{your-Role-name}",
  "RoleType": "CustomRole",
  "type": "Microsoft.Authorization/RoleDefinitions"
}

Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

4. Assign the If you add a native application, assign the created custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.

...

. If you add a Web app/API, assign the role to the application.

Creating a custom role in the Azure Portal is an asynchronous operation. This means that a time lag may take placeprocess, which means there may be a delay between the role's creation and its availability.

5. Open the tab 'Review + Create'. Check the role details and click Create.

Update an Existing Cloudaware Custom Policy

Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.

...

Create role for tagging
Anchor
#Custom-role-for-tagging
#Custom-role-for-tagging

Create a custom role to provide Cloudaware with permissions for tagging Azure resources:

Code Block
"properties": {
        "roleName": "{your-Role-name}",
        "description": "{your-Role-description}",
        "assignableScopes": [
            "/subscriptions/{subscription-id}",
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/tagNames/read",
                    "Microsoft.Resources/subscriptions/tagNames/write",
                    "Microsoft.Resources/subscriptions/tagNames/delete",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/read",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/write",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/delete",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Resources/tags/delete",
                    "Microsoft.Resources/tags/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }

Replace {your-Role-name}, {your-Role-description} and {subscription-id} with corresponding values from your Azure environment.

Update existing Cloudaware custom policy

Cloudaware may introduce new capabilities that require additional actions and permissions. If a custom role is already in place, it can be updated once across all subscriptions. Cloudaware Technical Account manager will provide the instructions.

Creating a custom role in the Azure Portal is an asynchronous process, which means there may be a delay between the role's creation and its availability.