I got a requirement to write a custom RBAC policy with the following specialties
- Allow access to see all of the details for the virtual machines and allowing to stop/start.
- Manage snapshots of the manage disks attached to the virtual machines.
Following are the steps I followed to create a custom RBAC Policy to achieve this requirement.
1. Understand the ‘AzureRMProviderOperation’ details
Run the following PS cmdlets to understand the operation details.
PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/virtualMachines/*” | FT OperationName, Operation, Description -AutoSize
PS C:\Users\mphilip\Desktop\Azure> Get-AzureRMProviderOperation “Microsoft.Compute/snapshots/*” | FT OperationName, Operation, Description -AutoSize
2. Build the required role actions
From the above cmdlets I am able to get the Action details as below:
3. Create the custom role definition
Following is the PS script I used to create the PS1 script. Save the lines in a PS1 file.
Note: Please remember to substitute your subscription id here: $role.AssignableScopes.Add(“/subscriptions/11111111-1111-1111-1111-111111111111”)
$role = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$role.Id = $null
$role.Name = “Virtual Machine Operator”
$role.Description = “Allow access to see all of the details for the virtual machines and allowing to stop/start. Manage snapshots of the manage disks attached to the virtual machines”
New-AzureRmRoleDefinition -Role $role
4. Run the PS1 script in Azure PS
Connect the Azure platform using the PowerShell and run the script. This will create a custom role definition with name “Virtual Machine Operator” in your Azure subscription.
Make sure that the definition is created in your subscription as follows (from PS as well as the Azure Portal)
5. Add Role Assignment to the required user
Go to IAM of the required subscription and create new assignment by ‘Add Role Assignment’. Select the custom role created from the ‘Role’ drop down and save the changes.
Now the user is equipped with new custom RBAC Policy
How useful was this post?
Click on a star to rate it!
Average rating / 5. Vote count:
We are sorry that this post was not useful for you!
Let us improve this post!
Thanks for your feedback!