Creating a Custom Role in Microsoft Azure

The Azure built-in role "Reader" may not have required permissions for Cloudaware, for example, it has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore a custom role should be created.

Custom Role For Storage Account Keys Access

You need to have Owner or User Access Administrator permissions to create custom roles.

1. In the Azure portal, open a subscription or a resource group where a custom role is to be assigned to.

2. Open 'Access control (IAM)'. Click Add → Add custom role. Name the role CloudAware Custom Policy.

3. Select one of the following options to proceed:

a) 'Start from scratch'. Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.

The permission Microsoft.Storage/storageAccounts/listKeys/action grants 'read' access to Storage Account Keys.

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required for this custom role as well.

b) 'Start from JSON'. Use the JSON template below. Fill your subscription id in the {subscription_id} field.

CODE

{
  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
  "Actions": [
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Storage/storageAccounts/listKeys/action"
  ],
  "notActions": [],
  "assignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}

c) 'Clone a role'. Select one* of the existing roles.

*Commonly used Azure built-in roles:

Built-in Role	ID
Reader	`acdd72a7-3385-48ef-bd42-f606fba81ae7`
Contributor	`b24988ac-6180-42a0-ab88-20f7382dd24c`
Virtual Machine Contributor	`d73bb868-a0df-4d4d-bd69-98a00b01fccb`
Virtual Network Contributor	`b34d265f-36f7-4a0d-a4d4-e158ca92e90f`
Storage Account Contributor	`86e8f5dc-a6e9-4c67-9d15-de283e8eac25`
Web Plan Contributor	`2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b`
SQL server Contributor	`6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437`
SQL DB Contributor	`9b7fa17d-e63e-47b0-bb0a-15c516ac86ec`

Open the tab 'JSON' to check and modify the permissions (see 3 a) if necessary. The JSON body of the existing role should look like in the template below:

CODE

{
  "name": "{your-existing-Role-definition-id}",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/extensions/write",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": []
    }
  ],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}",
     "/subscriptions/{subscription-id}",
    "/subscriptions/{subscription-id}"
  ],
  "RoleName": "{your-Role-name}",
  "RoleType": "CustomRole",
  "type": "Microsoft.Authorization/RoleDefinitions"
}

Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

4. Assign the custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.

Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place.

5. Open the tab 'Review + Create'. Check the role details and click Create.

Custom Role For Tagging

Another use case for creating a custom role is a necessity to provide Cloudaware with minimum permissions for tagging Azure resources.

CODE

"properties": {
        "roleName": "{your-Role-name}",
        "description": "{your-Role-description}",
        "assignableScopes": [
            "/subscriptions/{subscription-id}",
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/tagNames/read",
                    "Microsoft.Resources/subscriptions/tagNames/write",
                    "Microsoft.Resources/subscriptions/tagNames/delete",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/read",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/write",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/delete",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Resources/tags/delete",
                    "Microsoft.Resources/tags/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }

Replace {your-Role-name}, {your-Role-description} and {subscription-id} with corresponding values from your Azure environment.

Update an Existing Cloudaware Custom Policy

Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.

Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes available.