Azure Custom Roles

Working in a secure customer environment, we had requirements of custom roles for Private AKS Cluster Deployment.

• Create Role Definition JSON as per the requirement

{
  "Name": "Network Reader",
  "IsCustom": true,
  "Description": "Can read Network Properties.",
  "Actions": [
    "Microsoft.Network/virtualNetworks/subnets/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
  "/subscriptions/<subscripion Id>"
  ]
}

• Deploy Role Definition to azure

az role definition create --role-definition ~/roles/vmoperator.json

Create Role Definition

• Update Role definition if required

{
  "Name": "Network Reader",
  "IsCustom": true,
  "Description": "Can read and join Network",
  "Actions": [
    "Microsoft.Network/virtualNetworks/subnets/read",
	"Microsoft.Network/virtualNetworks/subnets/join/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
  "/subscriptions/d3819925-7e44-4f5f-8733-1067beaa45ec"
  ]
}

• Deploy updated Role definition

az role definition update --role-definition amlnetwork.json

Update Role Definition

• Assign Role Definition

az role assignment create --assignee <client id> --scope "<resourceid>" --role "Network Reader"

Assign Role