This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
I'm the IT guy and we try to limit the access on our MSP environments (least privilege etc) and limit the cost. When someone in the company needs an AKS cluster for tests purposes for a few days / weeks, we create a RG and set the needed permissions so that he can create an AKS cluster and then delete it when he no longer needs it.
The issue is that when the AKS cluster is created, a MC_ RG is being created and we need to set additional permissions on it (e.g. the "Reader" permission).
We feel that it is time consuming and would like to know if there is a way to avoid this.
Is there any easy way to automate the permissions assignment ? I guess we could create a Jenkins job which retrieves the existing MC_ RGs with Az CLI commands and assigns the permissions automatically, but I was wondering if there was an easier and cleaner way to do this.
Looks like "Azure Policy" can set permissions automatically even id it's not its real purpose, but it doesn't solve my issue because the MC_ RGs names are gonna change everytime and looks like I cannot use variables and do "smart" things in Azure Policy.
We also could use an Event triggered Azure function but I find it very hard to maintain as I would like a non-time consuming solution which does not imply using a VScode with the Azure extension and having to push everytime to make a modification.
Maybe I'm looking on the wrong side and I could just tell my users to delete the node group in the AKS cluster so that it reduces the cost by 95% ? They would then recreate it when needed.
What are your recommendations about my issue ?
Many Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Ant,
The node resource group MC_myResourceGroup_myAKSCluster_location is automatically created by Azure when an AKS cluster is provisioned which requires additional permissions need to be assigned.
As you stated above, you can check using Azure CLI commands and integrate in your CI/CD pipeline tasks to automate the permissions.
Ensure effective configuration were used like minimal node count, smaller VM sizes etc to reduce unnecessary cost.
Ensure AKS cluster and all its associated resources should be deleted once testing is done.
Check for unused resources in both resource groups regularly.
If you have any queries, please do let us know.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more