I think we can all agree that Azure NetApp Files snapshots are a very powerful tool when it comes to backup and restore, Disaster Recovery and Business Continuity. A great use case is refreshing your Dev/Test environment with Production data in a matter of seconds.
For automating or delegating these tasks, it’s good practice to create a so-called non-privileged account a.k.a. least privilege access. In this article we’ll explain how to create a custom role that allows to read, write and delete ANF snapshots and how to apply this role to a Service Principal in Azure.
Requirements
Before we start, please note the following requirements.
- Custom roles require Azure AD P1 or P2
- To Setup the Service Principal you need to be a member of either the Owner or User Access Administrator role
Step 1: create Service Principal
Open the Azure Cloud Shell and enter the following command.az ad sp create-for-rbac --name ServicePrincipalANFsnapshot
Save the output, since it contains the password and appId (needed in step 4). Also, keep in mind the Service Principal is a contributor (default) at this point.
Step 2: create custom role .json
Creating custom roles from the Azure Portal is limited, so we need to create a .json file that describes the role. Create ANFsnapshots.json with the following contents and upload the file to your Cloud Shell. Replace insert_sub_id_here with your subscription ID.
{
"Name": "ANF snapshots",
"IsCustom": true,
"Description": "Read, write and delete ANF snapshots.",
"Actions": [
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/insert_sub_id_here"
]
}
As you can see, all actions belonging to /snapshots/* are included. This effectively means the following three actions are allowed.
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/write
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/delete
Step 3: create custom role from .json
Execute the following command and point to the .json file created in step 2. This will create the custom role from the .json input.New-AzRoleDefinition -InputFile "ANFsnapshots.json"
Step 4: assign role to service principal
First we remove the default contributor role. Replace “insert_app_id” with the corresponding value from step 1.az role assignment delete --assignee "insert_app_id" --role Contributor
We now assign the custom role to the Service Principal. Again, replace “insert_app_id“.az role assignment create --assignee "insert_app_id" --role "ANF snapshots"
Congratulations, your Service Principal with the custom ANF snapshot role is now ready for use!
N.B. Please note that the custom role does not show up in the Azure Portal. You can list all custom roles by running the following command.az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'
Hi Rutger,
It seems in the Custom Role, additionally we need to also provide read access to Capacity pools and Volumes as below:
Error: When Taking Snapshot:
Error message: The client ‘6e15ae14-763d-446c-a1ea-40f00658840f’ with object id ‘6e15ae14-763d-446c-a1ea-40f00658840f’ does not have authorization to perform action ‘Microsoft.NetApp/netAppAccounts/capacityPools/read’ over scope ‘/subscriptions/3af3b1d7-1863-4cdb-b69c-38fd1179119c/resourceGroups
Solution: Add Additional Permission to Custom Role
Microsoft.NetApp/netAppAccounts/capacityPools/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read
Regards,
Anwar
Thanks for this addition Anwar!