Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 6 Next »

The Azure built-in Role "Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom Role should be created.

Create a Custom Role

Keep in mind that you need permissions to create custom Roles, such as Owner or User Access Administrator

1. In the Azure portal, open a subscription or resource group where you want the custom Role to be assignable.

2. Open 'Access control (IAM)'. Click Add → Add custom Role*. Name the Role CloudAware Custom Policy.

3. Open the tab 'JSON'. Use the JSON template below. Fill your subscription id in the {subscription_id} field.

{
  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default Role Reader does not provide API access to these keys.",
  "Actions": [
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Storage/storageAccounts/listKeys/action"
  ],
  "notActions": [],
  "assignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}

The permission Microsoft.Storage/storageAccounts/listKeys/actiongrants 'read' access to List Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required as well.

Read more

Commonly used Azure built-in roles:

Built-in Role

ID

Reader

acdd72a7-3385-48ef-bd42-f606fba81ae7

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Virtual Machine Contributor

d73bb868-a0df-4d4d-bd69-98a00b01fccb

Virtual Network Contributor

b34d265f-36f7-4a0d-a4d4-e158ca92e90f

Storage Account Contributor

86e8f5dc-a6e9-4c67-9d15-de283e8eac25

Web Plan Contributor

2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b

SQL server Contributor

6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

SQL DB Contributor

9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

Read more

*In case a custom Role already exists in your environment, its JSON body should look like the template below:

{
  "name": "{your-existing-Role-definition-id}",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/extensions/write",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": []
    }
  ],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}",
     "/subscriptions/{subscription-id}",
    "/subscriptions/{subscription-id}"
  ],
  "RoleName": "{your-Role-name}",
  "RoleType": "CustomRole",
  "type": "Microsoft.Authorization/RoleDefinitions"
}

Replace {your-existing-Role-definition-id} with your Role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

4. Assign the custom Role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.

Custom Role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place.

By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification.

Update an Existing Cloudaware Custom Policy

Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom Role already exists, you can update this Role without updating it for every subscription. If updating an existing Cloudaware Custom Policy Role is required, your Technical Account manager will provide you with instructions on how to perform this action.

Custom Role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a Role and time when this Role becomes available.

  • No labels