Custom RBAC Role-Definition in your AZURE subscription (Virtual Machine, Snapshot Operator)

I got a requirement to write a custom RBAC policy with the following specialties

  1. Allow access to see all of the details for the virtual machines and allowing to stop/start.
  2. Manage snapshots of the manage disks attached to the virtual machines.

Following are the steps I followed to create a custom RBAC Policy to achieve this requirement.

1. Understand the ‘AzureRMProviderOperation’ details

Run the following PS cmdlets to understand the operation details.

PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/virtualMachines/*” | FT OperationName, Operation, Description -AutoSize

PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/snapshots/*” | FT OperationName, Operation, Description -AutoSize

2. Build the required role actions

From the above cmdlets I am able to get the Action details as below:
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete

3. Create the custom role definition

Following is the PS script I used to create the PS1 script. Save the lines in a PS1 file.
Note: Please remember to substitute your subscription id here: $role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)

$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Virtual Machine Operator”
$role.Description = “Allow access to see all of the details for the virtual machines and allowing to stop/start.  Manage snapshots of the manage disks attached to the virtual machines”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.Compute/virtualMachines/read”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/start/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/powerOff/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/restart/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/instanceView/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/write”)
$role.Actions.Add(“Microsoft.Compute/snapshots/delete”)
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)
New-AzureRmRoleDefinition -Role $role

4. Run the PS1 script in Azure PS

Connect the Azure platform using the PowerShell and run the script. This will create a custom role definition with name “Virtual Machine Operator” in your Azure subscription.
Make sure that the definition is created in your subscription as follows (from PS as well as the Azure Portal)

5. Add Role Assignment to the required user

Go to IAM of the required subscription and create new assignment by ‘Add Role Assignment’. Select the custom role created from the ‘Role’ drop down and save the changes.

Now the user is equipped with new custom RBAC Policy

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments