RBAC permission to create and restore snapshots

Question

RBAC permission to create and restore snapshots

First Last 106

I have a non-Global admin user who needs to create and restore snapshots on a specific Azure VM. I don't want this user to have rights on a whole resource group or to be Global Admin. Tried the following RBAC roles:

VM Administrator Login on the VM. Problem: no rights to go the VM disk menu to create a snapshot.
Now added VM Contributor to the disk. User can now see the disk and click create snapshot. New problem: user cannot select a proper resource group or any resource group when creating a snapshot.
Now added Disk Snapshot Contributor to the subscription. User can now select the resource group when creating a snapshot. New problem: when walking through all 'create snapshot' steps, during validation it fails with client 'does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action'

I've read many articles that say just add VM admin or Snapshot contributor and GG EZ, but most assume you want someone to have permission to a whole resource group or subscription. I try to narrow down the permissions as much as possible but I'm running from one permission problem to another for a very simple request. It really tempts me to just make the user Global Admin and call it day but I obviously don't want to do this. Why does Microsoft makes this so cumbersome?

Either way, what permissions do I need to apply so the user can create snapshots to a specific VM and only on that VM?

Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2023-09-19T12:27:14.6633333+00:00

Hi @First Last

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2023-09-19T12:27:14.6633333+00:00

Hi @First Last

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

Hi, First

You will have to create your own Custom Role and assign it to the Resource Group.

{
  "Name": "Snapshot Creator",
  "IsCustom": true,
  "Description": "Allows users to create snapshots for a specific VM.",
  "Actions": [
    "Microsoft.Compute/snapshots/write",
    "Microsoft.Compute/virtualMachines/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

You could start with the Disk Snapshot Creator role as a base, then add the, Microsoft.Resources/deployments/validate/action action to it, and the Resource Group read role to it*,* and tweak it for your needs*.*

First Last 106 Reputation points

2023-09-15T14:25:48.53+00:00

Thanks. I started with Disk Snapshot Creator as base and added Microsoft.Resources/deployments/validate/action action. Not sure what you mean by this: "and the Resource Group read role to it*". Do you mean the scope by that? Either way, I've tested the base + validate permission and applied it to my whole subscription for testing purposes but it still doesn't work. See error below.

I honestly don't understand what the use case for all these baked in roles is when they don't work anyway. Like, what is the use for, for example the Disk Snapshot Creator role when someone what that role applied to them can't create disk snapshots? :S I'm seriously considering just throwing in the towel and make my user Global Admin.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-09-15T19:55:25.7833333+00:00

You need to assign Microsoft.Resource/deployment/write to the custom role, the error messages indicate which permissions they are missing and you can add it into your custom role as required.

First Last 106

Thanks for your additional comment. You are right, the error message is very clear. Following up, I became a bit more knowledgeable with these error messages and using the JSON editor which helped me solved this issue. I also had to add a bunch of other permissions for the initial problem and for a feature not mentioned in my initial start post, that is: creating managed disks from the snapshot, swapping OS disk and cleaning up everything after maintenance (snapshot + disk). Below is what I ended up using, unfortunately I could only apply this to the resource group since applying it to the VM itself wasn't enough.

(i have omitted the top of the JSON code as it contained our subscription info)

"permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/snapshots/read",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/disks/beginGetAccess/action",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/write",
                    "Microsoft.Compute/virtualMachines/deallocate/action",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/write",
                    "Microsoft.Storage/storageAccounts/listkeys/action",
                    "Microsoft.Storage/storageAccounts/write",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/delete",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/deployments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-09-18T18:44:19.26+00:00

Looks good! Yeah, you would need to assign it to the Resource Group so that it had permissions to create the disks, etc.

Share via

RBAC permission to create and restore snapshots

1 answer

Your answer