Reputation: 674
Other than Contributor, what Azure Role will allow the execution of Add-AzureRmAutoscaleSetting
I have a Powershell script that is used to deploy an Azure Cloud Service (Classic). Up until today, the app user was assigned a Contributor role. Part of tightening security, we are revoking this Contributor Role as it is too broad.
Part of the deployment process is to update the AutoScaling settings of the production slot using Add-AzureRmAutoscaleSetting:
Add-AzureRmAutoscaleSetting -Location "East US" -Name $scalingName -ResourceGroupName $resourceGroup -TargetResourceId $targetResourceId -AutoscaleProfile $autoscaleProfile
As the Azure User is no longer assigned the role of Contributor, this command now fails saying it is "Forbidden":
Add-AzureRmAutoscaleSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status code:Forbidden, Reason phrase: Forbidden
At C:\Path\AzureRMTools.psm1:131 char:5
+ Add-AzureRmAutoscaleSetting -Location "East US" -Name $scalingNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmAutoscaleSetting], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.Autoscale.AddAzureRmAutoscaleSettingCommand
I have tried assign the user many different Roles (Roles I think would have this permission) - but none of them seem to have permission to allow me to execute this.
I would like to know which Role would contain this permission? If none, is it possible to crate a new Role that will allow the execution of the command.
Thanks
Upvotes: 1
Views: 507
Answers (3)
Reputation: 1
To expand on the previous answers, here are the specific roles required when your AutoScale is tied to a Classic Cloud Service:
"Microsoft.Insights/AutoscaleSettings/Read",
"Microsoft.Insights/AutoscaleSettings/Write",
"Microsoft.ClassicCompute/domainNames/slots/roles/write",
"Microsoft.ClassicCompute/domainNames/slots/roles/read"
Upvotes: 0
Reputation: 72171
Any role that allows Microsoft.insights/autoscalesettings/write over the scope you are interested in should work.
as well as permissions (write) on the resources you are trying to tie autoscale to
Upvotes: 2
Reputation: 674
Thanks to @4c74356b41 for the nudge in the right direction.
There didn't seem to be any build in Roles that contained the Microsoft.insights/autoscalesettings/write permission, so following this tutorial I created a new Role.
Here is the json file I created:
{
"Name": "Microsoft Insights Contributor",
"IsCustom": true,
"Description": "Allows the creation, edition, and deletion of AutoScaling rules from Microsoft.Insights",
"Actions": [
"Microsoft.Insights/*",
"Microsoft.ClassicCompute/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}
Then execute the following to add it to your Azure subscription:
New-AzureRmRoleDefinition -InputFile '.\Microsoft Insights Contributor.json'
Hope this helps someone else
Note: as I am working with Azure Cloud Services (Classic), I also needed permissions to some Microsoft.ClassicCompute resources
Upvotes: 2
Related Questions
- Insufficient privileges to complete the operation - Azure Active Directory
- What rights or permissiones does a user need to be able to run certain powershell commands in azure?
- Install-Module -Name AzureAD -Scope CurrentUser -Force
- What permissions does an Azure service principal need to call the New-AzSubscriptionAlias PowerShell function?
- Azure Automation Privileges
- Azure Automation jobs sharing subscription context
- "Reader and Data Access" role is not available through powershell?
- Get-AzureRmADApplication shows no permissions
- Azure Automation: The term 'Set-AzureRmAppServicePlan' is not recognized
- How to Add-AzureRmAccount using Microsoft account?