Provisioning of IAM role for Azure Stack HCI / PowerShell Deployment tool (preview)

[Karl-WE]

Dear @jaromirk

https://github.com/DellGEOS/AzureStackHOLs/tree/main/lab-guides/08-DeployAzureStackHCICluster-DeploymentTool

for this guidance, we can safely remove the creation of the RBAC (IAM) role to register the Azure Stack HCI nodes. The MS documentation is not complete / updated. I will raise a PR at a later date.

The previously required custom appear to exist in current tenants and include even more permissions than just registering.

tldr: by today, Microsoft has created and preprovisioned Azure Stack HCI IAM roles for registration and other purposes such as Azure Arc.

[jaromirk]

I need to double check. Last time the role did not have enough permissions. Thx!

[jaromirk]

see? Built in does not have enough permissions

{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
    "properties": {
        "roleName": "Azure Stack HCI registration role",
        "description": "Custom Azure role to allow subscription-level access to register Azure Stack HCI",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.AzureStackHCI/register/action",
                    "Microsoft.AzureStackHCI/Unregister/Action",
                    "Microsoft.AzureStackHCI/clusters/*",
                    "Microsoft.HybridCompute/register/action",
                    "Microsoft.GuestConfiguration/register/action",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete",
                    "Microsoft.HybridConnectivity/register/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

[jaromirk]

We will need to wait for official Microsoft documentation. This is mine role:

{
    "id": "/subscriptions/c9d71720-73a9-4d37-80b3-9f554562fa55/providers/Microsoft.Authorization/roleDefinitions/ef1fce41-cb15-417c-b08c-b0e4765aa7d3",
    "properties": {
        "roleName": "Azure Stack HCI registration role - Custom",
        "description": "Custom Azure role to allow subscription-level access to register Azure Stack HCI",
        "assignableScopes": [
            "/subscriptions/c9d71720-73a9-4d37-80b3-9f554562fa55"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete",
                    "Microsoft.AzureStackHCI/register/action",
                    "Microsoft.AzureStackHCI/Unregister/Action",
                    "Microsoft.AzureStackHCI/clusters/*",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.HybridCompute/register/action",
                    "Microsoft.GuestConfiguration/register/action",
                    "Microsoft.HybridConnectivity/register/action",
                    "Microsoft.HybridCompute/machines/extensions/write",
                    "Microsoft.HybridCompute/machines/read",
                    "Microsoft.HybridCompute/machines/write",
                    "Microsoft.HybridCompute/privateLinkScopes/read",
                    "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
                    "Microsoft.HybridCompute/machines/extensions/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

[Karl-WE]

I see, I will check on my end aswell.