Configure Azure VM Image Builder permissions by using PowerShell
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets
When you register for Azure VM Image Builder, this grants the service permission to create, manage, and delete a staging resource group. The service also has rights to add resources to a resource group, required for the image build. During a successful registration, your subscription gets access to a VM Image Builder service principal name (SPN).
If you want VM Image Builder to distribute images, you need to create a user-assigned identity in Azure, with permissions to read and write images. For example, you might want to distribute images to managed images or to Azure Compute Gallery. If you're accessing Azure Storage, then the user-assigned identity you create needs permissions to read private or public containers.
You must set up permissions and privileges prior to building an image. The following sections detail how to configure possible scenarios by using PowerShell.
Create a user-assigned managed identity
VM Image Builder requires you to create an Azure user-assigned managed identity. VM Image Builder uses this identity to read images, write images, and access Azure Storage accounts. You grant the identity permission to do specific actions in your subscription.
Note
User-assigned managed identity is the correct way to grant permissions to the image resource groups. The SPN is deprecated for this purpose.
The following example shows you how to create an Azure user-assigned managed identity. Replace the placeholder settings to set your variables.
Setting | Description |
---|---|
<Resource group> | The resource group where you want to create the user-assigned managed identity. |
## Add AZ PS module to support AzUserAssignedIdentity
Install-Module -Name Az.ManagedServiceIdentity
$parameters = @{
Name = 'aibIdentity'
ResourceGroupName = '<Resource group>'
}
# create identity
New-AzUserAssignedIdentity @parameters
For more information, see Azure user-assigned managed identity.
Allow VM Image Builder to distribute images
For VM Image Builder to distribute images, the service must be allowed to inject the images into resource groups. To grant the required permissions, create a user-assigned managed identity, and grant it rights on the resource group where the image is built. VM Image Builder doesn't have permission to access resources in other resource groups in the subscription. You need to take explicit actions to allow access, to prevent your builds from failing.
You don't need to grant the user-assigned managed identity contributor rights on the resource group to distribute images. However, the user-assigned managed identity needs the following Azure Actions
permissions in the distribution resource group:
Microsoft.Compute/images/write
Microsoft.Compute/images/read
Microsoft.Compute/images/delete
If you want to distribute to Azure Compute Gallery, you also need:
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/galleries/images/versions/write
Permission to customize existing images
For VM Image Builder to build images from source custom images, the service must be allowed to read the images into these resource groups. To grant the required permissions, create a user-assigned managed identity, and grant it rights on the resource group where the image is located.
Here's how you build from an existing custom image:
Microsoft.Compute/images/read
Here's how you build from an existing Azure Compute Gallery version:
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Permission to customize images on your virtual networks
VM Image Builder has the capability to deploy and use an existing virtual network in your subscription, thus allowing customizations access to connected resources.
You don't need to grant the user-assigned managed identity contributor rights on the resource group to deploy a VM to an existing virtual network. However, the user-assigned managed identity needs the following Azure Actions
permissions on the virtual network resource group:
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Create an Azure role definition
The following examples create an Azure role definition from the actions described in the previous sections. The examples are applied at the resource group level. Evaluate and test if the examples are granular enough for your requirements.
The image actions allow read and write. Decide what is appropriate for your environment. For example, create a role to allow VM Image Builder to read images from resource group example-rg-1, and write images to resource group example-rg-2.
Custom image Azure role example
The following example creates an Azure role to use and distribute a source custom image. You then grant the custom role to the user-assigned managed identity for VM Image Builder.
To simplify the replacement of values in the example, set the following variables first. Replace the placeholder settings to set your variables.
Setting | Description |
---|---|
<Subscription ID> | Your Azure subscription ID. |
<Resource group> | Resource group for the custom image. |
$sub_id = "<Subscription ID>"
# Resource group - image builder will only support creating custom images in the same Resource Group as the source managed image.
$imageResourceGroup = "<Resource group>"
$identityName = "aibIdentity"
# Use a web request to download the sample JSON description
$sample_uri="https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json"
$role_definition="aibRoleImageCreation.json"
Invoke-WebRequest -Uri $sample_uri -Outfile $role_definition -UseBasicParsing
# Create a unique role name to avoid clashes in the same Azure Active Directory domain
$timeInt=$(get-date -UFormat "%s")
$imageRoleDefName="Azure Image Builder Image Def"+$timeInt
# Update the JSON definition placeholders with variable values
((Get-Content -path $role_definition -Raw) -replace '<subscriptionID>',$sub_id) | Set-Content -Path $role_definition
((Get-Content -path $role_definition -Raw) -replace '<rgName>', $imageResourceGroup) | Set-Content -Path $role_definition
((Get-Content -path $role_definition -Raw) -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName) | Set-Content -Path $role_definition
# Create a custom role from the aibRoleImageCreation.json description file.
New-AzRoleDefinition -InputFile $role_definition
# Get the user-identity properties
$identityNameResourceId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).Id
$identityNamePrincipalId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).PrincipalId
# Grant the custom role to the user-assigned managed identity for Azure Image Builder.
$parameters = @{
ObjectId = $identityNamePrincipalId
RoleDefinitionName = $imageRoleDefName
Scope = '/subscriptions/' + $sub_id + '/resourceGroups/' + $imageResourceGroup
}
New-AzRoleAssignment @parameters
Existing virtual network Azure role example
The following example creates an Azure role to use and distribute an existing virtual network image. You then grant the custom role to the user-assigned managed identity for VM Image Builder.
To simplify the replacement of values in the example, set the following variables first. Replace the placeholder settings to set your variables.
Setting | Description |
---|---|
<Subscription ID> | Your Azure subscription ID. |
<Resource group> | The virtual network resource group. |
$sub_id = "<Subscription ID>"
$res_group = "<Resource group>"
$identityName = "aibIdentity"
# Use a web request to download the sample JSON description
$sample_uri="https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleNetworking.json"
$role_definition="aibRoleNetworking.json"
Invoke-WebRequest -Uri $sample_uri -Outfile $role_definition -UseBasicParsing
# Create a unique role name to avoid clashes in the same AAD domain
$timeInt=$(get-date -UFormat "%s")
$networkRoleDefName="Azure Image Builder Network Def"+$timeInt
# Update the JSON definition placeholders with variable values
((Get-Content -path $role_definition -Raw) -replace '<subscriptionID>',$sub_id) | Set-Content -Path $role_definition
((Get-Content -path $role_definition -Raw) -replace '<vnetRgName>', $res_group) | Set-Content -Path $role_definition
((Get-Content -path $role_definition -Raw) -replace 'Azure Image Builder Service Networking Role',$networkRoleDefName) | Set-Content -Path $role_definition
# Create a custom role from the aibRoleNetworking.json description file
New-AzRoleDefinition -InputFile $role_definition
# Get the user-identity properties
$identityNameResourceId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).Id
$identityNamePrincipalId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).PrincipalId
# Assign the custom role to the user-assigned managed identity for Azure Image Builder
$parameters = @{
ObjectId = $identityNamePrincipalId
RoleDefinitionName = $networkRoleDefName
Scope = '/subscriptions/' + $sub_id + '/resourceGroups/' + $res_group
}
New-AzRoleAssignment @parameters