Created
March 8, 2025 06:54
-
-
Save ruo91/045643995d238f24e9fe3aaee746bc9b to your computer and use it in GitHub Desktop.
OpenShift 4.x - Required Azure permissions for installer-provisioned infrastructure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Name": "ocp4-role", | |
| "IsCustom": true, | |
| "Description": "Custom role with specified permissions", | |
| "Actions": [ | |
| "Microsoft.Authorization/policies/audit/action", | |
| "Microsoft.Authorization/policies/auditIfNotExists/action", | |
| "Microsoft.Authorization/roleAssignments/read", | |
| "Microsoft.Authorization/roleAssignments/write", | |
| "Microsoft.Authorization/roleAssignments/delete", | |
| "Microsoft.Compute/availabilitySets/read", | |
| "Microsoft.Compute/availabilitySets/write", | |
| "Microsoft.Compute/availabilitySets/delete", | |
| "Microsoft.Compute/disks/beginGetAccess/action", | |
| "Microsoft.Compute/disks/delete", | |
| "Microsoft.Compute/disks/read", | |
| "Microsoft.Compute/disks/write", | |
| "Microsoft.Compute/diskEncryptionSets/read", | |
| "Microsoft.Compute/diskEncryptionSets/write", | |
| "Microsoft.Compute/diskEncryptionSets/delete", | |
| "Microsoft.Compute/galleries/delete", | |
| "Microsoft.Compute/galleries/images/delete", | |
| "Microsoft.Compute/galleries/images/read", | |
| "Microsoft.Compute/galleries/images/versions/delete", | |
| "Microsoft.Compute/galleries/images/versions/read", | |
| "Microsoft.Compute/galleries/images/versions/write", | |
| "Microsoft.Compute/galleries/images/write", | |
| "Microsoft.Compute/galleries/read", | |
| "Microsoft.Compute/galleries/write", | |
| "Microsoft.Compute/images/delete", | |
| "Microsoft.Compute/images/read", | |
| "Microsoft.Compute/images/write", | |
| "Microsoft.Compute/snapshots/delete", | |
| "Microsoft.Compute/snapshots/read", | |
| "Microsoft.Compute/snapshots/write", | |
| "Microsoft.Compute/virtualMachines/delete", | |
| "Microsoft.Compute/virtualMachines/powerOff/action", | |
| "Microsoft.Compute/virtualMachines/read", | |
| "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action", | |
| "Microsoft.Compute/virtualMachines/write", | |
| "Microsoft.Features/providers/features/register/action", | |
| "Microsoft.KeyVault/vaults/delete", | |
| "Microsoft.KeyVault/vaults/deploy/action", | |
| "Microsoft.KeyVault/vaults/keys/read", | |
| "Microsoft.KeyVault/vaults/keys/write", | |
| "Microsoft.KeyVault/vaults/read", | |
| "Microsoft.KeyVault/vaults/write", | |
| "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", | |
| "Microsoft.ManagedIdentity/userAssignedIdentities/delete", | |
| "Microsoft.ManagedIdentity/userAssignedIdentities/read", | |
| "Microsoft.ManagedIdentity/userAssignedIdentities/write", | |
| "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read", | |
| "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write", | |
| "Microsoft.Network/azureFirewalls/applicationRuleCollections/write", | |
| "Microsoft.Network/azureFirewalls/read", | |
| "Microsoft.Network/azureFirewalls/write", | |
| "Microsoft.Network/dnsZones/A/delete", | |
| "Microsoft.Network/dnsZones/A/read", | |
| "Microsoft.Network/dnsZones/A/write", | |
| "Microsoft.Network/dnsZones/CNAME/delete", | |
| "Microsoft.Network/dnsZones/CNAME/read", | |
| "Microsoft.Network/dnsZones/CNAME/write", | |
| "Microsoft.Network/dnsZones/read", | |
| "Microsoft.Network/dnsZones/write", | |
| "Microsoft.Network/dnsZones/delete", | |
| "Microsoft.Network/loadBalancers/backendAddressPools/join/action", | |
| "Microsoft.Network/loadBalancers/backendAddressPools/read", | |
| "Microsoft.Network/loadBalancers/backendAddressPools/write", | |
| "Microsoft.Network/loadBalancers/inboundNatRules/read", | |
| "Microsoft.Network/loadBalancers/inboundNatRules/write", | |
| "Microsoft.Network/loadBalancers/inboundNatRules/delete", | |
| "Microsoft.Network/loadBalancers/delete", | |
| "Microsoft.Network/loadBalancers/read", | |
| "Microsoft.Network/loadBalancers/write", | |
| "Microsoft.Network/natGateways/join/action", | |
| "Microsoft.Network/natGateways/read", | |
| "Microsoft.Network/natGateways/write", | |
| "Microsoft.Network/networkInterfaces/delete", | |
| "Microsoft.Network/networkInterfaces/join/action", | |
| "Microsoft.Network/networkInterfaces/read", | |
| "Microsoft.Network/networkInterfaces/write", | |
| "Microsoft.Network/networkSecurityGroups/delete", | |
| "Microsoft.Network/networkSecurityGroups/join/action", | |
| "Microsoft.Network/networkSecurityGroups/read", | |
| "Microsoft.Network/networkSecurityGroups/securityRules/delete", | |
| "Microsoft.Network/networkSecurityGroups/securityRules/read", | |
| "Microsoft.Network/networkSecurityGroups/securityRules/write", | |
| "Microsoft.Network/networkSecurityGroups/write", | |
| "Microsoft.Network/privateDnsZones/A/delete", | |
| "Microsoft.Network/privateDnsZones/A/read", | |
| "Microsoft.Network/privateDnsZones/A/write", | |
| "Microsoft.Network/privateDnsZones/SOA/read", | |
| "Microsoft.Network/privateDnsZones/delete", | |
| "Microsoft.Network/privateDnsZones/join/action", | |
| "Microsoft.Network/privateDnsZones/read", | |
| "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete", | |
| "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read", | |
| "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write", | |
| "Microsoft.Network/privateDnsZones/write", | |
| "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read", | |
| "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write", | |
| "Microsoft.Network/privateEndpoints/read", | |
| "Microsoft.Network/privateEndpoints/write", | |
| "Microsoft.Network/publicIPAddresses/delete", | |
| "Microsoft.Network/publicIPAddresses/join/action", | |
| "Microsoft.Network/publicIPAddresses/read", | |
| "Microsoft.Network/publicIPAddresses/write", | |
| "Microsoft.Network/routeTables/join/action", | |
| "Microsoft.Network/routeTables/read", | |
| "Microsoft.Network/routeTables/routes/read", | |
| "Microsoft.Network/routeTables/routes/write", | |
| "Microsoft.Network/routeTables/write", | |
| "Microsoft.Network/virtualNetworks/delete", | |
| "Microsoft.Network/virtualNetworks/join/action", | |
| "Microsoft.Network/virtualNetworks/peer/action", | |
| "Microsoft.Network/virtualNetworks/read", | |
| "Microsoft.Network/virtualNetworks/subnets/join/action", | |
| "Microsoft.Network/virtualNetworks/subnets/read", | |
| "Microsoft.Network/virtualNetworks/subnets/write", | |
| "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", | |
| "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", | |
| "Microsoft.Network/virtualNetworks/write", | |
| "Microsoft.Resourcehealth/healthevent/Activated/action", | |
| "Microsoft.Resourcehealth/healthevent/InProgress/action", | |
| "Microsoft.Resourcehealth/healthevent/Pending/action", | |
| "Microsoft.Resourcehealth/healthevent/Resolved/action", | |
| "Microsoft.Resourcehealth/healthevent/Updated/action", | |
| "Microsoft.Resources/subscriptions/resourceGroups/read", | |
| "Microsoft.Resources/subscriptions/resourceGroups/write", | |
| "Microsoft.Resources/subscriptions/resourceGroups/delete", | |
| "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action", | |
| "Microsoft.Resources/deployments/read", | |
| "Microsoft.Resources/deployments/write", | |
| "Microsoft.Resources/deployments/delete", | |
| "Microsoft.Resources/tags/read", | |
| "Microsoft.Resources/tags/write", | |
| "Microsoft.Resources/tags/delete", | |
| "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action", | |
| "Microsoft.Storage/storageAccounts/blobServices/read", | |
| "Microsoft.Storage/storageAccounts/blobServices/containers/write", | |
| "Microsoft.Storage/storageAccounts/delete", | |
| "Microsoft.Storage/storageAccounts/fileServices/read", | |
| "Microsoft.Storage/storageAccounts/fileServices/shares/delete", | |
| "Microsoft.Storage/storageAccounts/fileServices/shares/read", | |
| "Microsoft.Storage/storageAccounts/fileServices/shares/write", | |
| "Microsoft.Storage/storageAccounts/listKeys/action", | |
| "Microsoft.Storage/storageAccounts/read", | |
| "Microsoft.Storage/storageAccounts/write" | |
| ], | |
| "AssignableScopes": [ | |
| "/subscriptions/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx" | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Create
az role definition create --role-definition ms-azure-ocp4-role.json
Update
az role definition update --role-definition ms-azure-ocp4-role.json