| Info |
|---|
The Azure This article explains how to create a custom role for Cloudaware in Microsoft Azure. You need be Owner or User Access Administrator in Microsoft Azure to create custom roles. |
| Table of Contents | ||
|---|---|---|
|
Create role for Storage Account keys access
The built-in
...
role "Reader"
...
may not have required permissions, such as default access to the Storage Account keys
...
necessary for collecting data about VHDs
...
.
Create a Custom Role
Keep in mind that you need permissions to create custom roles, such as Owner or User Access Administrator
1. In the Azure portal, open select a subscription or a resource group where you want the a custom role should to be assignableassigned.
2. Open Access Open 'Access control (IAM)'. Click Add and then click → Add custom role. 3. Name the new role CloudAware Cloudaware Custom Policy.
...
4. Open the tab Permissions →
...
3. Select one of the following options to proceed:
a) 'Start from scratch'.
Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Click Add.
...
Click Add.
| Tip |
|---|
The permission If you are planning to install Breeze Agent, |
...
the permission |
...
...
is required for this custom role as well. |
b) 'Start from JSON'.
Use the JSON template below to create a file. Fill your subscription id in the subscription-Id field{subscription_id} field.
| Code Block |
|---|
{
"IsCustom": true,
"Name": "CloudAware Collector Extended",
"Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
"Actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"assignableScopes": [
"/subscriptions/{subscription_id}"
]
} |
Here are the well-known samples of commonly used c) 'Clone a role'. Select one* of the existing roles.
*Commonly used Azure built-in roles:
Built-in Role |
|---|
...
ID |
|---|
Reader |
...
|
...
Contributor |
...
|
...
Virtual |
...
Machine |
...
Contributor |
...
|
...
Virtual |
...
Network |
...
Contributor |
...
|
...
Storage |
...
Account |
...
Contributor |
...
|
...
Web Plan Contributor |
|
...
SQL |
...
server Contributor |
|
...
SQL |
...
DB |
...
Contributor |
...
|
...
Open the tab 'JSON' to check and modify the permissions (see 3 a) if necessary. The JSON body of the existing role should look like in the template below. Replace {your-existing-role-definition-id} with your role definition id. In “assignableScopes” section add string
"/subscriptions/{subscription-id}" with your {subscription-id}.
:
| Code Block |
|---|
{
"name": "{your-existing-roleRole-definition-id}",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": []
}
],
"AssignableScopes": [
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}"
],
"roleNameRoleName": "{your-roleRole-name}",
"roleTypeRoleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
} |
...
RoleDefinitions"
} |
Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.
4. If you add a native application, assign the created custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API. If you add a Web app/API, assign the role to the application.
Creating a custom role in the Azure Portal is an asynchronous operation. This means that a time lag may take place.
| Note |
|---|
By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification. |
Update an Existing Cloudaware Custom Policy
...
process, which means there may be a delay between the role's creation and its availability.
5. Open the tab 'Review + Create'. Check the role details and click Create.
Create role for tagging
| Anchor | ||||
|---|---|---|---|---|
|
Create a custom role to provide Cloudaware with permissions for tagging Azure resources:
| Code Block |
|---|
"properties": {
"roleName": "{your-Role-name}",
"description": "{your-Role-description}",
"assignableScopes": [
"/subscriptions/{subscription-id}",
],
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/tagNames/read",
"Microsoft.Resources/subscriptions/tagNames/write",
"Microsoft.Resources/subscriptions/tagNames/delete",
"Microsoft.Resources/subscriptions/tagNames/tagValues/read",
"Microsoft.Resources/subscriptions/tagNames/tagValues/write",
"Microsoft.Resources/subscriptions/tagNames/tagValues/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/tags/write",
"Microsoft.Resources/tags/delete",
"Microsoft.Resources/tags/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
} |
Replace {your-Role-name}, {your-Role-description} and {subscription-id} with corresponding values from your Azure environment.
Update existing Cloudaware custom policy
Cloudaware may introduce new capabilities that require additional actions and permissions. If a custom role is already in place, it can be updated once across all subscriptions. Cloudaware Technical Account manager will provide the instructions.
Creating a custom role in the Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes availableprocess, which means there may be a delay between the role's creation and its availability.