[enterprise-4.9] OADP-419 Minimum permissions for storage location providers

modules/migration-configuring-aws-s3.adoc

@@ -111,7 +111,7 @@ $ cat > velero-policy.json <<EOF
 EOF
 ----
 
-. Attach the policies to give the `velero` user the necessary permissions:
+. Attach the policies to give the `velero` user the minimum necessary permissions:
 +
 [source,terminal]
 ----

modules/migration-configuring-azure.adoc

@@ -127,6 +127,29 @@ $ AZURE_STORAGE_ACCOUNT_ACCESS_KEY=`az storage account keys list \
   --query "[?keyName == 'key1'].value" -o tsv`
 ----
 
+. Create a custom role that has the minimum required permissions:
++
+[source,terminal,subs="attributes+"]
+----
+AZURE_ROLE=Velero
+az role definition create --role-definition '{
+   "Name": "'$AZURE_ROLE'",
+   "Description": "Velero related permissions to perform backups, restores and deletions",
+   "Actions": [
+       "Microsoft.Compute/disks/read",
+       "Microsoft.Compute/disks/write",
+       "Microsoft.Compute/disks/endGetAccess/action",
+       "Microsoft.Compute/disks/beginGetAccess/action",
+       "Microsoft.Compute/snapshots/read",
+       "Microsoft.Compute/snapshots/write",
+       "Microsoft.Compute/snapshots/delete",
+       "Microsoft.Storage/storageAccounts/listkeys/action",
+       "Microsoft.Storage/storageAccounts/regeneratekey/action"
+   ],
+   "AssignableScopes": ["/subscriptions/'$AZURE_SUBSCRIPTION_ID'"]
+   }'
+----
+
 . Create a `credentials-velero` file:
 +
 [source,terminal,subs="attributes+"]

modules/migration-configuring-gcp.adoc

@@ -82,7 +82,7 @@ $ SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
     --format 'value(email)')
 ----
 
-. Attach the policies to give the `velero` user the necessary permissions:
+. Attach the policies to give the `velero` user the minimum necessary permissions:
 +
 [source,terminal]
 ----