Role-based access control rules may not always meet your needs. Learn how to create custom role based access control rules using PowerShell and a JSON template.
- [Narrator] In our last movie, we explored how to assign users to built-in roles. But what if one of those roles doesn't quite fit your needs? In Azure, we can go ahead and create custom roles, and this is done through PowerShell. I've already logged into PowerShell. I've logged into my account. And I am in the correct subscription. Probably the easiest way to start this is to list all the roles and to see what each of those roles does. To do so, I'm going to use the command Get-AzureRmRoleDefinition.
I'm going to just pull the name and the description, and this will be easy for us to read. I'm going to go ahead and run that command. And we can see here, we can see the list of all the different roles that are available to us. For our demonstration, we're going to go ahead and take the virtual machine contributor role and we're going to modify it somewhat. Right now, we can see the virtual machine contributor role lets us manage our virtual machines but not access them, and we cannot access the virtual network or the storage account that they're connected to.
For our demonstration, we're going to take this built-in role and customize it, allowing the virtual machine contributor which we'll rename to start and stop our virtual machines. To do so, we're going to actually export the role definition. We're going to use the same command we just did, Get-AzureRmRoleDefinition. Then we're going to convert it to a JSON file which we can then edit. I'm going to provide the name of that role which happens to be virtual machine contributor.
I'm going to pipe and then convert this to JSON. I'm using the command, and now I need to provide the output file. And for our demonstration, I'm going to have this output to the corresponding exercise file. I will now provide a name for the file. I'm going to go ahead and run this command. Perfect, now let's pop into our exercise files and take a look at this JSON file.
It's in the exercise files, and this happens to be chapter three, movie four, and there it is, our vmcustomrole. I'm going to go ahead and open up this file. It will open up in Visual Studio. And this is the JSON file for that contributive role. And we see here all of the actions, so we have authorization, allows for read. This role can create availability sets. It can create virtual machines. But what it can't do is start or stop virtual machines, so we'll modify this to allow for that functionality and maybe reduce some of the other functionality that we don't want this user to do.
Well, I need to keep the read authorization there, so I'll leave that one. This role will not need Microsoft Compute for availabilitySets, locations, virtualMachines, or virtualMachineScaleSets but they will need Microsoft Compute and read access. So what I'm going to do is just delete the three. And now they have read access to all of the Microsoft Compute resources.
I'm going to leave the Insight alertRules. Clean this up just a little bit. As before, this user does not need any access to the network, but they will need read rights to the network. So I'm going to delete all but one. And as I did with Compute, I'm going to add in the asterisk and then just read and then delete everything else. Perfect. This role does not require any access to RecoveryServices. I'll go ahead and delete all of those.
This role does not need any access to the availabilityStatus or the deployments. I'll go ahead and delete those. They will need access to subscription, resourceGroups, and read. They do not need access to the storageAccounts, but they do need to be able to read those storageAccounts. I'm going to go ahead and modify the one line. I'm going to delete the other. Before I go on, I can see I've got a little bit of an error here. I've got a rogue comma, so we'll get rid of that.
There we are. That looks a little better. So my Storage is at a read. My Support I'm going to leave the same. I'd like this role to be able to start and restart our virtual machines. Therefore, I'm going to add in those resources. I'm basically going to duplicate that same line again, clean these up a tad.
There we go. We'll clean that up, for all the coders in the group are going, "Oh, those are off." And I can tell I have a couple of errors here. I have a couple of missing commas. And you'll notice I do not require a comma after our last line. Next, we have to provide the assignable scopes. I want this role to be available in my pay-as-you-go subscription but not the other ones. So I'm going to go ahead and add that in. I'm going to come under subscriptions, and I'm going to add my subscription ID.
I'm copying and pasting it for ease of use. Our final step before saving is to actually change the name of this role. Right now, we have Virtual Machine Contributor. I'm going to call this Virtual Machine Operator. I'm going to save this in the exercise files with a different name. That way, those of you who like to use the exercise files can compare the two files. Go to File, Save As, and we'll call this vmoperator, and I click Save, and we should be good to go.
I'm going to go ahead and minimize our Visual Studio window. I'm going to pop back into PowerShell. And our next step is to import this custom role. To do so, we are going to use the command New-AzureRmRoleDefinition. We'll provide the input file. And I'm selecting the new JSON file we just created.
I can go ahead and run that command. And we can see that we now have our Virtual Machine Operator. The description is still the same. In hindsight, you'll want to modify your description to best describe the new role parameters. And this custom role is only available in my pay-as-you-go subscription. Let's pop back in Azure and take a look at that. Now that we're back in Azure, let's go ahead and open up the Subscriptions blade.
And we'll take a look at the pay-as-you-go subscription. And in the Access Control blade, and finally Select Roles. And be forewarned, it could take a few minutes before you see the custom role pop in here. I need to actually scroll down because it starts with a V. And you can see here that we now have the Virtual Machine Operator. If we take a look at the permissions that this role has, we can see that it has partial permissions for Authorization, Compute, Monitoring, Network, Resources, Storage, everything that we configured within that JSON file.
I can drill down a little bit more. We can see we have read rights to everything within Microsoft Compute. But within Virtual Machines, we have some other actions. And that would be the start and restart actions that we defined in that JSON file. Custom roles allow for a granularity you may not get from the built-in roles. As you build out your custom roles, I would highly recommend that you test them to make sure that you haven't allowed for more permission or too little permission for those custom roles.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles