Custom Roles in Azure – case Azure Kubernetes Service (update)

Azure Role Based Access Control is great! You can assign Roles to users to give specific access and actions. But not always you can find specific Role, in this case I needed to add access to specific users to modify Azure Kubernetes Service, but not delete and create a new one.

In this case, we need to create a Custom Role that can do exactly what you want. You can use this process to create any custom role – just there is a fast step by step:

#Install-Module -Name Az -AllowClobber
#Connect-AzAccount
Get-AzSubscription
Select-AzSubscription -SubscriptionId f31d408c-1e0e-478c-a887-ddb7c7ea78d0
Get-AzProviderOperation “Microsoft.ContainerService/*” | Out-GridView
Get-AzRoleDefinition -Name “Azure Kubernetes Service Cluster Admin Role”
Get-AzRoleDefinition -Name “Azure Kubernetes Service Cluster Admin Role” | ConvertTo-Json
Get-AzRoleDefinition -Name “Azure Kubernetes Service Cluster Admin Role” | ConvertTo-Json | Out-File $env:TMP\AKSResizeCluster.json
notepad $env:TMP\AKSResizeCluster.json
New-AzRoleDefinition -InputFile $env:TMP\AKSResizeCluster.json
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

Modified AKSResizeCluster.json file (please give new name and add subscription scope at the end):

{
“Name”: “Azure Kubernetes Service Cluster Write Role”,
“Id”: “8783b508-5073-4565-aeeb-9d4a28dd6701”,
“IsCustom”: false,
“Description”: “List cluster admin credential action and Write Privileges”,
“Actions”: [
“Microsoft.ContainerService/containerServices/read”,
“Microsoft.ContainerService/containerServices/write”,
“Microsoft.ContainerService/managedClusters/read”,
“Microsoft.ContainerService/managedClusters/write”,
“Microsoft.ContainerService/operations/read”,
“Microsoft.ContainerService/managedClusters/agentPools/read”,
“Microsoft.ContainerService/managedClusters/write”,
“Microsoft.OperationalInsights/workspaces/sharedkeys/read”,
“Microsoft.OperationalInsights/workspaces/read”,
“Microsoft.OperationsManagement/solutions/write”,
“Microsoft.OperationsManagement/solutions/read”,
“Microsoft.ContainerService/managedClusters/agentPools/write”

],
“NotActions”: [

],
“DataActions”: [

],
“NotDataActions”: [

],
“AssignableScopes”: [
“/subscriptions/!!!Your_Subscription_ID!!!”
]
}

Just after that you have a new Role Azure Kubernetes Service Cluster Write Role and you can assign it in IAM, to your K8S cluster in Azure and you have to add it to Resource Group where your Log Analytics are (eg: 78c-a887-ddb7c7ea78d0-WEULog Analytics workspace).

This is fast outline – to understand what you are doing please visit: https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell