The Azure Built-in Role of a "Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom role should be created. You can create it using this How-To.
Name the new role - CloudAware Custom Policy. This role will use List Keys action that grant read access:
"Microsoft.Storage/storageAccounts/listKeys/action"
If you are going to set up the Breeze Agent, you need to use one more action in your role - “Microsoft.Compute/virtualMachines/extensions/write“.
For creating a new role use this JSON template. Fill your subscription id in the subscription-Id field.
{
"IsCustom": true,
"Name": "CloudAware Collector Extended",
"Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
"Actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"assignableScopes": [
"/subscriptions/{subscription_id}"
]
}
Here are the well-known guides of commonly used built-in roles:
Reader: acdd72a7-3385-48ef-bd42-f606fba81ae7 Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c Virtual Machine Contributor: d73bb868-a0df-4d4d-bd69-98a00b01fccb Virtual Network Contributor: b34d265f-36f7-4a0d-a4d4-e158ca92e90f Storage Account Contributor: 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Website Contributor: de139f84-1756-47ae-9be6-808fbbe84772 Web Plan Contributor: 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b SQL Server Contributor: 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 SQL DB Contributor: 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
In case a custom role already exists, you can use it as well. JSON body of your role should look like the template below. Replace {your-existing-role-definition-id} with your role definition id. In “assignableScopes” section add string
"/subscriptions/{subscription-id}" with your {subscription-id}.
{
"name": "{your-existing-role-definition-id}",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": []
}
],
"AssignableScopes": [
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}"
],
"roleName": "{your-role-name}",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Then you will need to assign this custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place.
By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification. |
Updating an Existing Cloudaware Custom Policy
Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes available. |