Closed Karl-WE closed 7 months ago
I need to double check. Last time the role did not have enough permissions. Thx!
see? Built in does not have enough permissions
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
"properties": {
"roleName": "Azure Stack HCI registration role",
"description": "Custom Azure role to allow subscription-level access to register Azure Stack HCI",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.AzureStackHCI/register/action",
"Microsoft.AzureStackHCI/Unregister/Action",
"Microsoft.AzureStackHCI/clusters/*",
"Microsoft.HybridCompute/register/action",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.HybridConnectivity/register/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
We will need to wait for official Microsoft documentation. This is mine role:
{
"id": "/subscriptions/c9d71720-73a9-4d37-80b3-9f554562fa55/providers/Microsoft.Authorization/roleDefinitions/ef1fce41-cb15-417c-b08c-b0e4765aa7d3",
"properties": {
"roleName": "Azure Stack HCI registration role - Custom",
"description": "Custom Azure role to allow subscription-level access to register Azure Stack HCI",
"assignableScopes": [
"/subscriptions/c9d71720-73a9-4d37-80b3-9f554562fa55"
],
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.AzureStackHCI/register/action",
"Microsoft.AzureStackHCI/Unregister/Action",
"Microsoft.AzureStackHCI/clusters/*",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.HybridCompute/register/action",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/privateLinkScopes/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
"Microsoft.HybridCompute/machines/extensions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
I see, I will check on my end aswell.
Dear @jaromirk
https://github.com/DellGEOS/AzureStackHOLs/tree/main/lab-guides/08-DeployAzureStackHCICluster-DeploymentTool
for this guidance, we can safely remove the creation of the RBAC (IAM) role to register the Azure Stack HCI nodes. The MS documentation is not complete / updated. I will raise a PR at a later date.
The previously required custom appear to exist in current tenants and include even more permissions than just registering.
tldr: by today, Microsoft has created and preprovisioned Azure Stack HCI IAM roles for registration and other purposes such as Azure Arc.