Monday, August 31, 2020

Create a Custom Role in Azure using Azure CLI

Posted on 6:38 AM by Sachin Kalia


There are various built-in role exists in Azure and can be utilized as per business need like Owner, Reader, contributor, Monitoring contributor and log analytic contributor. Though in certain scenario you may need to restrict user and then create custom role privilege to user.

Here we will be discussing how can we create a custom role and utilize it.

To achieve this, I’ve utilized following json template.it creates a role with reader permission along with start/stop virtual machine. file name CustomRole.json

{

   "Name":"CloudPipers Custom Virtual Machine Role",

   "Description":"Lets you view everything and stop virtual machine instances.",

   "Actions":[

      "*/read",

      "Microsoft.Compute/virtualMachines/powerOff/action",

  "Microsoft.Compute/virtualMachines/start/action"

  

   ],

   "NotActions":[],

   "DataActions": [],

   "NotDataActions": [],

   "AssignableScopes":[

      "/subscriptions/765354b4d-e2aa-4e1d-a447-2abef1a755ed"

   ]

}

Use the following PowerShell or Azure CLI commands for this purpose.

Connect-AzAccount

//Put user name and password

# Create a new custom role which has reader role rights with virtual machine stop and start rights

New-AzRoleDefinition -InputFile "C:\Roles\CustomRole.json"

az role definition create --role-definition "C:\Roles\CustomRole.json"

Kindly refer an image definition.png below once it created .

definition.png

 Now open azure portal and choose any resources and go to IAM -> Roles -> Name and search following role  “cloudPipers custom virtual machine”. 

You can follow both images IAM.png and customRole.png below for reference:

 CustomRole.png

 

An above screenshot shows a custom role that has a read and start/stop permission only. To assign it go to IAM -> Add ->  add assignment role and select a role which was created recently , refer a add-assignment.png depicted below 

 


Next time when user admin kalia logged in azure portal ,user will be able to perform only start and stop on virtual machine.


I Hope it will help you to create custom role and its assignment in an easy manner.

There are some built-in roles that you can find here:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles


For more Video demonstration kindly visit my YouTube channel

*******CloudPipers******


Subscribe to: Posts ( Atom )