Setting up minimum permissions

You learn how to configure the minimum permissions required for Cloudera Data Warehouse (CDW) on Azure environments. The minimum permissions govern access control between CDW, Azure resources, and the Azure storage account.

  1. Write code for a custom role that contains the minimum permissions required for CDW on Azure.
  2. In the properties section of your subscription code, change variables into actual values.
    For example, make the following substitutions to the sample code shown below:
    • [YOUR-SUBSCRIPTION-ID]: Your subscription ID in use.
    • [YOUR-RESTRICTED-ROLE-NAME]: The custom role name which is assigned to the application.
    • [YOUR-SINGLE-RESOURCE-GROUP]: The original resource group name.
  3. Insert the code for the custom role into the actions section of your subscription.
    The following sample code shows the properties and actions sections you need to add to your subscription:
    {
       "properties": {
           "roleName": "[YOUR-RESTRICTED-ROLE-NAME]",
           "description": "Additional permissions to activate CDW clusters.",
           "assignableScopes": [
      	 "/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-SINGLE-RESOURCE-GROUP]"
           ],
           "permissions": [
               {
                   "actions": [
                       "Microsoft.Resources/deployments/cancel/action",
                       "Microsoft.Resources/deployments/validate/action",
                       "Microsoft.ContainerService/managedClusters/write",
                       "Microsoft.ContainerService/managedClusters/agentPools/write",
                       "Microsoft.ContainerService/managedClusters/read",
                       "Microsoft.ContainerService/managedClusters/agentPools/read",
                       "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
                       "Microsoft.ContainerService/managedClusters/delete",
                       "Microsoft.ContainerService/managedClusters/rotateClusterCertificates/action",
                       "Microsoft.DBforPostgreSQL/flexibleServers/read",
                       "Microsoft.DBforPostgreSQL/flexibleServers/write",
                       "Microsoft.DBforPostgreSQL/flexibleServers/delete",
                       "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write",
                       "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
                       "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete",
                       "Microsoft.DBforPostgreSQL/flexibleServers/configurations/read",
                       "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write",
                       "Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
                       "Microsoft.DBforPostgreSQL/flexibleServers/databases/write",
                       "Microsoft.DBforPostgreSQL/flexibleServers/databases/delete",
                       "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/write",
                       "Microsoft.DBforPostgreSQL/servers/databases/write",
                       "Microsoft.Network/privateDnsZones/A/read",
                       "Microsoft.Network/privateDnsZones/A/write",
                       "Microsoft.Network/privateDnsZones/A/delete",
                       "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
                       "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
                       "Microsoft.Network/routeTables/read",
                       "Microsoft.Network/routeTables/write",
                       "Microsoft.Network/routeTables/routes/read",
                       "Microsoft.Network/routeTables/routes/write"
                   ],
                   "notActions": [],
                   "dataActions": [],
                   "notDataActions": []
               }
           ]
       }
    }