Tutorial: Create a custom RBAC role using PowerShell (Basic)

The plan is to create a custom RBAC role which can then be assigned to any user account. The custom role will grant the user access to Start or Restart a Virtual machine but no other access. In the real world this account would be useful for an apprentice or a lower level support engineer.

Step 1: Setting up

Firstly, you need to connect to Azure via local PowerShell, if you haven’t set this up before please follow the official guide here.

If you read my previous article “RBAC Roles Overview”, you will know that access is provided via specific Microsoft operations. In order for us to apply the correct operations we need a list of all the available ones. However, as we are granting Virtual Machine permissions, we only need a list of all the available Virtual Machine operations.

This can be done via the PowerShell below:

 Get-AzureRMProviderOperation "Microsoft.compute/virtualmachines/*" | FT Operation, Description -AutoSize 

As we are wanting to grant access to Start and Restart the two operations we need are:

Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/restart/action

 

Step 2: Create your JSON file

Custom RBAC roles are created using .json files, you will want to start with the following template:

 
{
    "Name":  "CustomRoleName1",
    "IsCustom":  true,
    "Description":  "A brief description of the RBAC role",
    "Actions":  [                       
                ],
    "NotActions":  [
                   ],
    "DataActions":  [
                    ],
    "NotDataActions":  [
                       ],
    "AssignableScopes":  [
                             "/subscriptions/00000000-0000-0000-0000-000000000000"
                         ]
}

Open any text editor > Copy the above text into the editor.

Now we need to modify this file so it suits our needs and fits the plan, in step 1 we identified the two operations needed to allow Start and Restart permissions on VMs.

Edit your template, fill out the “Name”, “Description”, Add the operations from earlier to the Actions list and finally ensure you add your own Azure subscription number in the assignable scopes section.

Save the file as “RoleName.json” and save to your local machine. The file should look as below:

{
    "Name":  "VM Start/Restart Role",
    "IsCustom":  true,
    "Description":  "This Custom RBAC role allows a user the access to Start or Restart a VM only.",
    "Actions":  [                    
                    "Microsoft.Compute/virtualMachines/start/action", 
                    "Microsoft.Compute/virtualMachines/restart/action" 
                ],
    "NotActions":  [
                   ],
    "DataActions":  [
                    ],
    "NotDataActions":  [
                       ],
    "AssignableScopes":  [
                             "/subscriptions/e9323b12-8e1e-4dde-9d38-fbdd05cd7eaf"
                         ]
}

 

Step 3: Create the custom role

Now we have our JSON file, we have everything we need to create the role in Azure.

The following PowerShell command is all you need to create the role, please ensure you edit the script to match the name and location of your own JSON file.

New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\VMStartRestartCustomRole.json"

 

Step 3: Confirm Creation

So far you have found the operations that are relevant to our plan, added the operations to a custom .json file and we have uploaded this role to Azure. Now all we need to do is confirm it has worked.

Running the following PowerShell will list all custom roles in Azure:

 Get-AzureRmRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom 

You should a result similar to the one shown here:

Azure_Custom_RBAC_Role

To confirm the operations were added correctly you could use this PowerShell and it will show information on the role:

Get-AzureRmRoleDefinition -Name "VM Start/Restart Role"

If you get the following result, congratulations you have correctly created your own custom RBAC role:

Azure_Custom_RBAC_2

Finish

Run the following PowerShell to remove the role you have added:

Remove-AzureRmRoleDefinition -Name "VM Start/Restart Role"

If you need further information or help regarding custom roles, feel free to contact me via this page, or go here for the Official Documentation.

GitHubLink

Leave a Reply

Your email address will not be published. Required fields are marked *