Редагувати

Поділитися через


How to use permissions in Azure Spring Apps

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.

This article applies to: ✔️ Basic/Standard ✔️ Enterprise

This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. Custom roles extend Azure built-in roles with various stock permissions.

We'll implement the following custom roles.

  • Developer role:

    • Deploy
    • Test
    • Restart apps
    • Apply and make changes to app configurations in the Git repository
    • Get log streams
  • DevOps Engineer role:

    • Create, read, update, and delete everything in Azure Spring Apps
  • Ops - Site Reliability Engineering role:

    • Restart apps
    • Get log streams
    • Can't make changes to apps or configurations
  • Azure Pipelines / Jenkins / GitHub Actions role:

    • Perform create, read, update, and delete operations
    • Use Terraform or ARM templates to create and configure everything in Azure Spring Apps and apps within a service instance: Azure Pipelines, Jenkins, and GitHub Actions

Define the Developer role

The Developer role includes permissions to restart apps and see their log streams. This role can't make changes to apps or configurations.

  1. In the Azure portal, open the subscription where you want to assign the custom role.

  2. Open Access control (IAM).

  3. Select Add.

  4. Select Add custom role.

  5. Select Next:

    Screenshot that shows the Basics tab of the Create a custom role window.

  6. Select Add permissions:

    Screenshot that shows the Add permissions button.

  7. In the search box, search for Microsoft.app. Select Microsoft Azure Spring Apps:

    Screenshot of the Azure portal that shows the Add permissions page search results with Microsoft Azure Spring Apps highlighted.

  8. Select the permissions for the Developer role.

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : List Azure Spring Apps service instance test keys

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices, select:

    • Read : Read Microsoft Azure Spring Apps Build Services
    • Other : Get an Upload URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds, select:

    • Read : Read Microsoft Azure Spring Apps Builds
    • Write : Write Microsoft Azure Spring Apps Builds

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds/results, select:

    • Read : Read Microsoft Azure Spring Apps Build Results
    • Other : Get an Log File URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders, select:

    • Read : Read Microsoft Azure Spring Apps Builders
    • Write : Write Microsoft Azure Spring Apps Builders
    • Delete : Delete Microsoft Azure Spring Apps Builders

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings, select:

    • Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding
    • Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding
    • Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Buildpacks

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedStacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Stacks

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Read : Read Microsoft Azure Spring Apps application
    • Other : Get Microsoft Azure Spring Apps application resource upload URL

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Read : Read Microsoft Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Microsoft Azure Spring Apps application deployment
    • Read : Read Microsoft Azure Spring Apps application deployment
    • Other : Start Microsoft Azure Spring Apps application deployment
    • Other : Stop Microsoft Azure Spring Apps application deployment
    • Other : Restart Microsoft Azure Spring Apps application deployment
    • Other : Get Microsoft Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/domains, select:

    • Read : Read Microsoft Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/certificates, select:

    • Read : Read Microsoft Azure Spring Apps certificate

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Screenshot of Azure portal that shows the selections for Developer permissions.

  9. Select Add.

  10. Review the permissions.

  11. Select Review and create.

Define the DevOps Engineer role

This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.

  1. Repeat steps 1 through 4 in the procedure for adding the Developer role.

  2. Select the permissions for the DevOps Engineer role:

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Delete : Delete Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : Enable Azure Spring Apps service instance test endpoint
    • Other : Disable Azure Spring Apps service instance test endpoint
    • Other : List Azure Spring Apps service instance test keys
    • Other : Regenerate Azure Spring Apps service instance test key

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices, select:

    • Read : Read Microsoft Azure Spring Apps Build Services
    • Other : Get an Upload URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/agentPools, select:

    • Read : Read Microsoft Azure Spring Apps Agent Pools
    • Write : Write Microsoft Azure Spring Apps Agent Pools

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds, select:

    • Read : Read Microsoft Azure Spring Apps Builds
    • Write : Write Microsoft Azure Spring Apps Builds

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds/results, select:

    • Read : Read Microsoft Azure Spring Apps Build Results
    • Other : Get an Log File URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders, select:

    • Read : Read Microsoft Azure Spring Apps Builders
    • Write : Write Microsoft Azure Spring Apps Builders
    • Delete : Delete Microsoft Azure Spring Apps Builders

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings, select:

    • Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding
    • Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding
    • Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Buildpacks

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedStacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Stacks

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Write : Write Microsoft Azure Spring Apps application
    • Delete : Delete Microsoft Azure Spring Apps application
    • Read : Read Microsoft Azure Spring Apps application
    • Other : Get Microsoft Azure Spring Apps application resource upload URL
    • Other : Validate Microsoft Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Write : Write Microsoft Azure Spring Apps application binding
    • Delete : Delete Microsoft Azure Spring Apps application binding
    • Read : Read Microsoft Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Microsoft Azure Spring Apps application deployment
    • Delete : Delete Azure Spring Apps application deployment
    • Read : Read Microsoft Azure Spring Apps application deployment
    • Other : Start Microsoft Azure Spring Apps application deployment
    • Other : Stop Microsoft Azure Spring Apps application deployment
    • Other : Restart Microsoft Azure Spring Apps application deployment
    • Other : Get Microsoft Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:

    • Read : List application deployment available skus

    Under Microsoft.AppPlatform/locations, select:

    • Other : Check name availability

    Under Microsoft.AppPlatform/locations/operationResults/Spring select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Under Microsoft.AppPlatform/skus, select:

    • Read : List available skus

    Screenshot of Azure portal that shows the selections for DevOps permissions.

  3. Select Add.

  4. Review the permissions.

  5. Select Review and create.

Define the Ops - Site Reliability Engineering role

This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.

  1. Repeat steps 1 through 4 from the procedure for adding the Developer role.

  2. Select the permissions for the Ops - Site Reliability Engineering role:

    Under Microsoft.AppPlatform/Spring, select:

    • Read : Get Azure Spring Apps service instance
    • Other : List Azure Spring Apps service instance test keys

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Read : Read Microsoft Azure Spring Apps application

    Under Microsoft.AppPlatform/apps/deployments, select:

    • Read : Read Microsoft Azure Spring Apps application deployment
    • Other : Start Microsoft Azure Spring Apps application deployment
    • Other : Stop Microsoft Azure Spring Apps application deployment
    • Other : Restart Microsoft Azure Spring Apps application deployment

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Screenshot of Azure portal that shows the selections for Ops - Site Reliability Engineering permissions.

  3. Select Add.

  4. Review the permissions.

  5. Select Review and create.

Define the Azure Pipelines / Jenkins / GitHub Actions role

This role can create and configure everything in Azure Spring Apps and apps with a service instance. This role is for releasing or deploying code.

  1. Repeat steps 1 through 4 from the procedure for adding the Developer role.

  2. Open the Permissions options.

  3. Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role:

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Delete : Delete Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : Enable Azure Spring Apps service instance test endpoint
    • Other : Disable Azure Spring Apps service instance test endpoint
    • Other : List Azure Spring Apps service instance test keys
    • Other : Regenerate Azure Spring Apps service instance test key

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices, select:

    • Read : Read Microsoft Azure Spring Apps Build Services
    • Other : Get an Upload URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds, select:

    • Read : Read Microsoft Azure Spring Apps Builds
    • Write : Write Microsoft Azure Spring Apps Builds

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builds/results, select:

    • Read : Read Microsoft Azure Spring Apps Build Results
    • Other : Get an Log File URL in Azure Spring Apps

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders, select:

    • Read : Read Microsoft Azure Spring Apps Builders
    • Write : Write Microsoft Azure Spring Apps Builders
    • Delete : Delete Microsoft Azure Spring Apps Builders

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings, select:

    • Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding
    • Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding
    • Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Buildpacks

    (For Enterprise plan only) Under Microsoft.AppPlatform/Spring/buildServices/supportedStacks, select:

    • Read : Read Microsoft Azure Spring Apps Supported Stacks

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Write : Write Microsoft Azure Spring Apps application
    • Delete : Delete Microsoft Azure Spring Apps application
    • Read : Read Microsoft Azure Spring Apps application
    • Other : Get Microsoft Azure Spring Apps application resource upload URL
    • Other : Validate Microsoft Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Write : Write Microsoft Azure Spring Apps application binding
    • Delete : Delete Microsoft Azure Spring Apps application binding
    • Read : Read Microsoft Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Microsoft Azure Spring Apps application deployment
    • Delete : Delete Azure Spring Apps application deployment
    • Read : Read Microsoft Azure Spring Apps application deployment
    • Other : Start Microsoft Azure Spring Apps application deployment
    • Other : Stop Microsoft Azure Spring Apps application deployment
    • Other : Restart Microsoft Azure Spring Apps application deployment
    • Other : Get Microsoft Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:

    • Read : List application deployment available skus

    Under Microsoft.AppPlatform/locations, select:

    • Other : Check name availability

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Under Microsoft.AppPlatform/skus, select:

    • Read : List available skus

    Screenshot of Azure portal that shows the selections for Azure Pipelines / Jenkins / GitHub Actions permissions.

  4. Select Add.

  5. Review the permissions.

  6. Select Review and create.

Next steps

For more information about three methods that define custom permissions, see: