This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
Hi,
I have multiple aks clusters running in a subscription. with multiple users having contributor access on the subscription i want only 1 particular user to have access to start stop and delete teh aks cluster while all other user have contributor access no other user can start stop or delete thge cluster. how do i do that
Hello Zahid Makandar - TSS Consultancy
Any update on the issue?
Just checking in to see if you got a chance to see previous response.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Hello Zahid Makandar - TSS Consultancy
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
By default, the "Contributor" role has the permission to start and stop AKS clusters. However, you can use Azure RBAC to create a custom role that includes only the permissions you want to grant to the user, and then assign that custom role to the user. This allows you to grant more granular permissions to the user while still preventing other users with the "Contributor" role from starting or stopping AKS clusters.
For example, you can create a custom role that includes only the "Microsoft.ContainerService/managedClusters/start/action" and "Microsoft.ContainerService/managedClusters/stop/action" actions, and then assign that role to the user you want to grant the permission to. This will allow the user to start and stop AKS clusters, but not delete them or perform other actions that are included in the "Contributor" role.
To prevent other users with the "Contributor" role from stopping or deleting AKS clusters, you can use Azure RBAC to deny those actions to the "Contributor" role.
"Name": "AKS Cluster Operator",
"IsCustom": true,
"Description": "Can start, stop, and delete AKS clusters",
"Actions": [
"Microsoft.ContainerService/managedClusters/start/action",
"Microsoft.ContainerService/managedClusters/stop/action",
"Microsoft.ContainerService/managedClusters/delete"
],
Hope this helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello Zahid Makandar - TSS Consultancy,
Thanks for your question.
To grant specific permissions for starting, stopping, and deleting AKS clusters to a particular user while preventing other users with Contributor access from performing these actions, you can use Role-Based Access Control (RBAC) and custom roles.
To create a custom role you can copy the default Contributor definition. An example is below, remember to edit to your own preference and test:
az role definition create --role-definition '{
"Name": "test Contributor",
"Description": "Contributor without AKS cluster management permissions",
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"Actions": [
"*"
],
"NotActions": [
"Microsoft.ContainerService/managedClusters/start/action",
"Microsoft.ContainerService/managedClusters/stop/action",
"Microsoft.ContainerService/managedClusters/delete"
],
"DataActions": [],
"NotDataActions": []
}'
After the abve you can then assign.
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola