Hello Zahid Makandar - TSS Consultancy
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
By default, the "Contributor" role has the permission to start and stop AKS clusters. However, you can use Azure RBAC to create a custom role that includes only the permissions you want to grant to the user, and then assign that custom role to the user. This allows you to grant more granular permissions to the user while still preventing other users with the "Contributor" role from starting or stopping AKS clusters.
For example, you can create a custom role that includes only the "Microsoft.ContainerService/managedClusters/start/action" and "Microsoft.ContainerService/managedClusters/stop/action" actions, and then assign that role to the user you want to grant the permission to. This will allow the user to start and stop AKS clusters, but not delete them or perform other actions that are included in the "Contributor" role.
To prevent other users with the "Contributor" role from stopping or deleting AKS clusters, you can use Azure RBAC to deny those actions to the "Contributor" role.
"Name": "AKS Cluster Operator",
"IsCustom": true,
"Description": "Can start, stop, and delete AKS clusters",
"Actions": [
"Microsoft.ContainerService/managedClusters/start/action",
"Microsoft.ContainerService/managedClusters/stop/action",
"Microsoft.ContainerService/managedClusters/delete"
],
Hope this helps.