In the following example, we will create a custom role that can only restart VMs in Azure. For this, you need to create a JSON file that will be deployed using PowerShell. We are going to be assigning that role to a user account inside the JSON file. Let's get started:
- You can define the custom role by using the following JSON code. You should set the Id to null since the custom role gets an ID assigned to it when it's created. We will add the custom role to two Azure subscriptions, as follows (replace the subscriptions in the AssignableScopes part with your subscription IDs):
{
"Name": "Packt Custom Role",
"Id": null,
"IsCustom": true,
"Description": "Allows for read access to Azure Storage, Network and Compute resources and access to support",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/********-****-****-****-***********",
"/subscriptions/********-****-****-****-***********"
]
}
- Save the JSON file in a folder named CustomRoles on the C: drive of your computer. Then, run the following PowerShell script to create the role. First, log into your Azure account, as follows:
Connect-AzAccount
- If necessary, select the right subscription:
Select-AzSubscription -SubscriptionId "********-****-****-****-***********"
- Then, create the custom role in Azure by importing the JSON file into PowerShell:
New-AzRoleDefinition -InputFile "C:CustomRolesPacktCustomRole.json"
In this section, we created a custom role that can only restart VMs in Azure. Now, we're going to take a look at how we can create policies using Azure Policy.