Working in a secure customer environment, we had requirements of custom roles for Private AKS Cluster Deployment.
- Create Role Definition JSON as per the requirement
{
"Name": "Network Reader",
"IsCustom": true,
"Description": "Can read Network Properties.",
"Actions": [
"Microsoft.Network/virtualNetworks/subnets/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<subscripion Id>"
]
}
- Deploy Role Definition to azure
az role definition create --role-definition ~/roles/vmoperator.json

- Update Role definition if required
{
"Name": "Network Reader",
"IsCustom": true,
"Description": "Can read and join Network",
"Actions": [
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/d3819925-7e44-4f5f-8733-1067beaa45ec"
]
}

- Deploy updated Role definition
az role definition update --role-definition amlnetwork.json

- Assign Role Definition
az role assignment create --assignee <client id> --scope "<resourceid>" --role "Network Reader"
