You can assign Azure built-in roles to the Azure app registration that you use for Commvault Cloud.
Prerequisites
-
If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.
-
Your Azure account must have the Role Based Access Control Administrator role
Procedure
Azure Portal
-
In the Azure portal, on the Access Control (IAM) tab, click Add, and then select Add role assignment.
The Add role assignment pane appears.
-
From the Role list, select the roles that are required for the workload:
Workload
Roles to assign in the Azure portal
The following databases:
-
Azure CosmosDB
-
Azure MariaDB
-
Azure MySQL
-
Azure PostgreSQL
-
Contributor
-
Blob Storage Contributor
The following databases:
-
Azure SQL
-
Azure SQL Managed Instance
-
SQL Server Contributor
-
SQL Managed Instance Contributor
-
Blob Storage Contributor
Azure VMs, encrypted
Not available yet
Azure VMs, unencrypted
-
Contributor
-
Storage Blob Data Contributor
Azure Blob Storage
-
Storage Blob Data Owner
-
Reader
Azure Data Lake Storage Gen2
-
Storage Blob Data Owner
-
Reader
Azure File Storage
-
Storage Blob Data Contributor
-
Create a custom role with the permission: Microsoft.Storage/storageAccounts/read.
For instructions, see Assign an Azure Custom Role for Least Privilege Access to Resources.
-
At the storage account level
- Storage Blob Data Contributor
- Storage File Data Privileged Contributor
-
-
From the Assign access to list, select User, group, or service principal.
-
For Members, do the following:
-
Click Select members.
The Select members blade appears.
-
In the Select box, start typing to select the application that you created in the preceding step.
-
-
Click Save.
-
To obtain the tenant ID (which is also the directory ID) from the public Azure cloud, go to Azure Active Directory > Properties > Directory.
-
To protect Azure resources with your own storage account, repeat the preceding steps to add the Storage Blob Data Contributor role.
Azure CLI
-
Use the following command to assign roles:
Where:az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID} --role “role” --output json --only-show-errors
- Azure_app is the name of your Azure app.
- Azure_subscription_ID is the ID of your Azure subscription.
- role is the role to assign.
-
Required roles for Azure workloads are as follows:
Workload
Roles to assign in Azure CLI/Azure PowerShell
The following databases:
-
Azure CosmosDB
-
Azure MariaDB
-
Azure MySQL
-
Azure PostgreSQL
-
Contributor
-
Blob Storage Contributor
The following databases:
-
Azure SQL
-
Azure SQL Managed Instance
-
Blob Storage Contributor Role
-
SQL Managed Instance Contributor
-
SQL Server Contributor
Azure VMs, encrypted
Not available yet
Azure VMs, encrypted
Storage Blob Data Contributor
Azure Blob Storage
-
Storage Blob Data Owner
-
At the subscription level
- Reader
Azure Data Lake Storage Gen2
-
Storage Blob Data Owner
-
At the subscription level
- Reader
Azure File Storage
-
At the storage account level
- Storage Blob Data Contributor
- Storage File Data Privileged Contributor
-
At the subscription level
- Microsoft.Storage/storageAccounts/read
- Storage Account Contributor
-
Azure PowerShell
-
Use the following command to assign roles:
New-AzRoleAssignment -ApplicationId $sp.AppId -RoleDefinitionName 'role'
Where role is the role to assign.
-
Required roles for Azure workloads are as follows:
Workload
Roles to assign in Azure CLI/Azure PowerShell
The following databases:
-
Azure CosmosDB
-
Azure MariaDB
-
Azure MySQL
-
Azure PostgreSQL
-
Contributor
-
Blob Storage Contributor
The following databases:
-
Azure SQL
-
Azure SQL Managed Instance
-
Blob Storage Contributor Role
-
SQL Managed Instance Contributor
-
SQL Server Contributor
Azure VMs, encrypted
Not available yet
Azure VMs, encrypted
Storage Blob Data Contributor
Azure Blob Storage
-
Storage Blob Data Owner
-
At the subscription level
- Reader
Azure Data Lake Storage Gen2
-
Storage Blob Data Owner
-
At the subscription level
- Reader
Azure File Storage
-
At the storage account level
- Storage Blob Data Contributor
- Storage File Data Privileged Contributor
-
At the subscription level
- Microsoft.Storage/storageAccounts/read
- Storage Account Contributor
-