Set up minimum permissions
The minimum permissions for Cloudera AI on Azure govern access control between the Cloudera AI Workbench, Azure resources, and the Azure storage account.
To set up the minimum permissions, you first create a custom role that contains those permissions, and then assign that role to a credential, called an app registration, in your Azure subscription.
Create the custom role.
The following code example creates a custom role for Cloudera AI and assigns the
minimum permissions needed. The permissions are listed in the
actions
section, so that Cloudera AI can access resources and
operate correctly.
You need to substitute the following values:
[YOUR-SUBSCRIPTION-ID]
: Your subscription ID in use.[YOUR-RESTRICTED-ROLE-NAME]
: The custom role name which is assigned to the application.[YOUR-SINGLE-RESOURCE-GROUP]
: The original resource group name.
{
"properties": {
"roleName": [YOUR-RESTRICTED-ROLE-NAME],
"description": "Custom restricted role for liftie",
"isCustom": true,
"assignableScopes": [
"/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-SINGLE-RESOURCE-GROUP]"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/agentPools/write",
"Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
"Microsoft.ContainerService/managedClusters/agentPools/delete",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Insights/diagnosticSettings/write",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}