The Azure built-in Role "Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom role should be created.
Create a Custom Role
Keep in mind that you need permissions to create custom roles, such as Owner or User Access Administrator
1. In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
2. Open Access control (IAM). Click Add and then click Add custom role.
3. Name the new role CloudAware Custom Policy.
4. Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.
If you are planning to install Breeze Agent, add Microsoft.Compute/virtualMachines/extensions/write permission to the role.
5. Select 'Start from JSON'. Use the JSON template below. Fill your subscription id in the subscription-Id field.
{
"IsCustom": true,
"Name": "CloudAware Collector Extended",
"Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
"Actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"assignableScopes": [
"/subscriptions/{subscription_id}"
]
}
Here are the well-known samples of commonly used built-in roles:
Reader: acdd72a7-3385-48ef-bd42-f606fba81ae7 Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c Virtual Machine Contributor: d73bb868-a0df-4d4d-bd69-98a00b01fccb Virtual Network Contributor: b34d265f-36f7-4a0d-a4d4-e158ca92e90f Storage Account Contributor: 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Website Contributor: de139f84-1756-47ae-9be6-808fbbe84772 Web Plan Contributor: 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b SQL Server Contributor: 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 SQL DB Contributor: 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
In case a custom role already exists, you can use it as well. JSON body of your role should look like the template below. Replace {your-existing-role-definition-id} with your role definition id. In “assignableScopes” section add string
"/subscriptions/{subscription-id}" with your {subscription-id}.
{
"name": "{your-existing-role-definition-id}",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": []
}
],
"AssignableScopes": [
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}",
"/subscriptions/{subscription-id}"
],
"roleName": "{your-role-name}",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Then you will need to assign this custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place.
By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification.
Update an Existing Cloudaware Custom Policy
Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.
Creating a custom role in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes available.