RBAC permission to create and restore snapshots

First Last 106 Reputation points
2023-09-13T13:09:20.6866667+00:00

I have a non-Global admin user who needs to create and restore snapshots on a specific Azure VM. I don't want this user to have rights on a whole resource group or to be Global Admin. Tried the following RBAC roles:

  • VM Administrator Login on the VM. Problem: no rights to go the VM disk menu to create a snapshot.
  • Now added VM Contributor to the disk. User can now see the disk and click create snapshot. New problem: user cannot select a proper resource group or any resource group when creating a snapshot.
  • Now added Disk Snapshot Contributor to the subscription. User can now select the resource group when creating a snapshot. New problem: when walking through all 'create snapshot' steps, during validation it fails with client 'does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action'

I've read many articles that say just add VM admin or Snapshot contributor and GG EZ, but most assume you want someone to have permission to a whole resource group or subscription. I try to narrow down the permissions as much as possible but I'm running from one permission problem to another for a very simple request. It really tempts me to just make the user Global Admin and call it day but I obviously don't want to do this. Why does Microsoft makes this so cumbersome?

Either way, what permissions do I need to apply so the user can create snapshots to a specific VM and only on that VM?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,034 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Luke Murray 11,436 Reputation points MVP Volunteer Moderator
    2023-09-13T23:23:53.8733333+00:00

    Hi, First

    You will have to create your own Custom Role and assign it to the Resource Group.

    {
      "Name": "Snapshot Creator",
      "IsCustom": true,
      "Description": "Allows users to create snapshots for a specific VM.",
      "Actions": [
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/virtualMachines/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": []
    }
    
    

    You could start with the Disk Snapshot Creator role as a base, then add the, Microsoft.Resources/deployments/validate/action action to it, and the Resource Group read role to it*,* and tweak it for your needs*.*


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.