Creating a custom role for the application

Edit online

The built-in roles (except the Owner role) for Azure resources do not meet the requirements for deploying a Cloud Edition cluster. Therefore, you must create custom roles to meet the requirements.

Procedure

To create custom roles to meet the requirements, complete the following steps:
  1. Download and install Azure CLI on your machine.
  2. Copy the following JSON code to a JSON file and replace the following values: name, description, and subscription ID with relevant name, description, and Azure subscription ID in which the cluster is to be deployed.
    { "Name": "<Name of Role>", "Description": "<Description for role>", "IsCustom": true,
Deploy Cloud Edition Azure Using Data Management Service Create a Service Principal
Project Aqua User Guide 353
"Actions": [ "Microsoft.Authorization/locks/write", "Microsoft.Compute/disks/write", "Microsoft.Compute/locations/runCommands/read", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/runCommand/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/write", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourcegroups/delete", "Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Resources/subscriptions/resourcegroups/write", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/delete", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write" ], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/<subscriptionID>" ] }
  3. Run the following command:
    az role definition create --role-definition @<name_of_json_file>.json

    Assign the application to a role:

    To access resources in your subscription, you must assign the application to the custom role you created.
    1. Log in to Microsoft™ Azure Portal.
    2. Navigate to the subscription that is to be used to create the cluster.
    3. Select Access control (IAM) > Add role assignment .
      Note: The permissions are required for a fresh deployment of the Cloud Edition or for adding a new node to an existing cluster. When the Cloud Edition is deployed, the permissions are not required. The role can be disassociated from the application when the Cloud Edition is deployed.
    4. Select the custom role that you created for the application, and then click Save.