For least privilege access to Azure resources, you can create a custom Azure role and assign it to the Azure app registration that you use for Commvault Cloud.
Prerequisites
-
If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.
-
Your Azure account must have the following built-in roles:
-
To create the custom role: Role User Access Administrator
-
To assign permissions to the custom role: Role Based Access Control Administrator
-
Download the JSON File and Update It With Your Azure Subscription ID
-
Download the JSON file for the Azure workload that you want to protect and the Azure interface that you want to use:
Workload
Azure Portal JSON (or roles to include in a JSON)
Azure CLI/Azure PowerShell JSON (or roles to include in a JSON)
Azure databases:
-
Azure MariaDB
-
Azure MySQL
-
Azure PostgreSQL
-
Azure SQL
-
Azure SQL Managed Instance
Not available yet
Azure VMs, encrypted
Not available yet
Azure VMs, unencrypted
-
-
Important: In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.
-
Save the file.
Assign the Custom Role
Azure Portal
-
From the All services menu, click the Subscriptions tab, and then select your subscription ID.
-
On the Access Control (IAM) tab, click Add, and then select Add role assignment.
The Add role assignment pane appears.
-
From the Role list, select the custom role.
-
From the Assign access to list, select User, group, or service principal.
-
In the Select box, enter the application name, and then select the application for protecting your Azure workload.
-
Click Save.
Azure CLI
-
Create the custom role:
az role definition create --role-definition .\my_custom_role.json
Where my_custom_role is the name of the JSON file.
-
Assign the custom role to your subscription:
az role assignment create --assignee Azure_app --role my_custom_role --scope /subscriptions/Azure_subscription_ID
Where:
-
Azure_app is the name of your Azure app.
-
my_custom_role is the name of the JSON file.
-
Azure_subscription_ID is the ID of your Azure subscription.
-
Azure PowerShell
-
Ceate the custom role:
New-AzRoleDefinition -InputFile "my_custom_role.json"
Where my_custom_role is the name of the JSON file.
-
Assign the custom role to your subscription:
New-AzRoleAssignment -ObjectId Object_ID -RoleDefinitionName my_custom_role -Scope /subscriptions/Azure_subscription_ID
Where:
-
Object_ID is the ID of the object.
-
my_custom_role is the name of the JSON file.
-
Azure_subscription_ID is the ID of your Azure subscription.
-