Share via

Azure: Custom RBAC Role-Definition in your subscription

  • Article

Requirements

Write a custom RBAC policy with the following specialties

  1. Allow access to see all of the details for the virtual machines and allowing to stop/start.
  2. Manage snapshots of the manage disks attached to the virtual machines.

Following are the steps create a custom RBAC Policy to achieve this requirement.

Steps

1. Understand the ‘AzureRMProviderOperation’ details

Run the following PS cmdlets to understand the operation details.

PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/virtualMachines/*” | FT OperationName, Operation, Description -AutoSize

PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/snapshots/*” | FT OperationName, Operation, Description -AutoSize

2. Build the required role actions

From the above cmdlets we can get the Action details as below:

Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete

3. Create the custom role definition

Following is the PS script used to create the PS1 script. Save the lines in a PS1 file.
Note: Please remember to substitute your subscription id here: $role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)

$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Virtual Machine Operator”
$role.Description = “Allow access to see all of the details for the virtual machines and allowing to stop/start.  Manage snapshots of the manage disks attached to the virtual machines”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.Compute/virtualMachines/read”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/start/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/powerOff/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/restart/action”)
$role.Actions.Add(“Microsoft.Compute/virtualMachines/instanceView/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/read”)
$role.Actions.Add(“Microsoft.Compute/snapshots/write”)
$role.Actions.Add(“Microsoft.Compute/snapshots/delete”)
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)
New-AzureRmRoleDefinition -Role $role

4. Run the PS1 script in Azure PS

Connect the Azure platform using the PowerShell and run the script. This will create a custom role definition with name “Virtual Machine Operator” in our Azure subscription.
Make sure that the definition is created in the subscription as follows (from PS as well as the Azure Portal)

http://cloudcompute.info/wp-content/uploads/2019/02/1-1-300x57.png

http://cloudcompute.info/wp-content/uploads/2019/02/2-1-207x300.png

5. Add Role Assignment to the required user

Go to IAM of the required subscription and create new assignment by ‘Add Role Assignment’. Select the custom role created from the ‘Role’ drop down and save the changes.

http://cloudcompute.info/wp-content/uploads/2019/02/3-1-300x169.png

Now the user is equipped with new custom RBAC Policy