-
Notifications
You must be signed in to change notification settings - Fork 78
Permissions
This module uses two providers, AzAPI and AzureRM.
We recommend that you use the same identity for both providers.
See provider configuration for more information.
This sub-module manages the following resources:
The identity used must have permission to:
- Create subscriptions using the
Microsoft.Subscription/aliasesresource. See the documentation for details.
Note: The following process explains how to assign EA roles to SPNs.
- Manage the subscription's management group using the
Microsoft.Management/managementGroupsresource. For a detailed explanation of the permissions required, see the documentation.
Note: the identity that creates the subscription will have
Ownerpermissions assigned by default. If you instead supply an existing subscription id, you must ensure that the identity of the provider has theOwnerpermissions assigned.
This sub-module manages the following resources using the AzAPI provider:
Microsoft.Network/virtualHubs/hubVirtualNetworkConnectionsMicrosoft.Network/virtualNetworks/virtualNetworkPeeringsMicrosoft.Network/virtualNetworksMicrosoft.Resources/resourceGroups
These resources are deployed into the new or the supplied subscription. The identity of the AzAPI provider must have permission to create these resources.
The identity assigned to the AzAPI provider must also have the following permissions on hub networks to create virtual network peerings. We recommend that you create a custom role in order to maintain the least privilege principle.
| Action | Name |
|---|---|
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write |
Required to create a peering from the supplied hub network. |
Microsoft.Network/virtualNetworks/peer/action |
Required to create a peering from the supplied hub network. |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read |
Read a virtual network peering |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete |
Delete a virtual network peering |
See the documentation for more information.
The identity assigned to the AzAPI provider must also have the following permissions on hub networks to create virtual network connections. We recommend that you create a custom tole in order to maintain the least privilege principle.
TBC
This sub-module manages the following resources using the AzureRM provider:
The role assignments are deployed into either the new or the supplied subscription, at subscription or child scopes.
The identity of the AzureRM provider must have permission to create these resources, typically this means having the Owner or User Access Administrator roles.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request.
The wiki docs are located in the repository in the docs/wiki/ folder.