Custom RBAC Role-Definition in your AZURE subscription (Virtual Machine, Snapshot Operator)
I got a requirement to write a custom RBAC policy with the following specialties
- Allow access to see all of the details for the virtual machines and allowing to stop/start.
- Manage snapshots of the manage disks attached to the virtual machines.
Following are the steps I followed to create a custom RBAC Policy to achieve this requirement.
1. Understand the ‘AzureRMProviderOperation’ details
Run the following PS cmdlets to understand the operation details.
PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/virtualMachines/*” | FT OperationName, Operation, Description -AutoSize
PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/snapshots/*” | FT OperationName, Operation, Description -AutoSize
2. Build the required role actions
From the above cmdlets I am able to get the Action details as below:
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete
3. Create the custom role definition
Following is the PS script I used to create the PS1 script. Save the lines in a PS1 file.
Note: Please remember to substitute your subscription id here: $role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)
$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Virtual Machine Operator”
$role.Description = “Allow access to see all of the details for the virtual machines and allowing to stop/start. Manage snapshots of the manage disks attached to the virtual machines”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.Compute/virtualMachines/read”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/start/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/powerOff/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/restart/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/instanceView/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/write”)
$role.Actions.Add(“Microsoft.Compute/snapshots/delete”)
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)
New-AzureRmRoleDefinition -Role $role
4. Run the PS1 script in Azure PS
Connect the Azure platform using the PowerShell and run the script. This will create a custom role definition with name “Virtual Machine Operator” in your Azure subscription.
Make sure that the definition is created in your subscription as follows (from PS as well as the Azure Portal)
5. Add Role Assignment to the required user
Go to IAM of the required subscription and create new assignment by ‘Add Role Assignment’. Select the custom role created from the ‘Role’ drop down and save the changes.
Now the user is equipped with new custom RBAC Policy
No responses yet