Apply Azure Role-Based Access Control (RBAC) to an Aviatrix Azure Account
The Aviatrix Controller is viewed as an application running on Azure. Since this application needs to create or program Azure resources, such as launching a gateway, modifying route entries in a route table, etc., the application requires a role with certain permissions. By default, this role is a pre-defined Azure built-in role called "Contributor."
If you wish not to use the Contributor role and instead creating a custom role with Aviatrix-provided permission, you can do so via Azure portal or with via PowerShell. Below is guide on how to accomplish that via PowerShell.
| For security purposes, Aviatrix recommends you use a custom role rather than the default role Aviatrix created. When you use a custom role name it is important to make sure the AssumeRole policy and Trust policy are correct. The AssumeRole policy is attached to the Azure Virtual Machine role and the Trust policy is accessed on the APP role Trust Relationship tab. |
For replacing the Contributor role via Azure portal, refer to Azure IAM Custom Role.
Step 1. Add a Custom Role through Powershell
The custom role must have permission that meets the requirement for Aviatrix Controller to function. The permission is represented by the json file below.
Remember to replace the subscription "11111111-1111-1111-1111-111111111111" with your own valid subscription ID.
avx_rbac_role.json:
{
"Name": "Aviatrix Controller Custom Role",
"IsCustom": true,
"Description": "Custom role for Aviatrix Controller",
"Actions": [
"Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/publicIPAddresses/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/loadBalancers/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Resources/*/read",
"Microsoft.Resourcehealth/healthevent/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/tags/*",
"Microsoft.Resources/marketplace/purchase/action",
"Microsoft.Resources/subscriptions/resourceGroups/*"
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
In Powershell, perform the following:
-
Edit avx_rbac_role.json, copy and paste above Aviatrix RBAC role. Save the file.
-
New-AzRoleDefinition -InputFile avx_rbac_role.json
| The Microsoft.ContainerService lines in the above json file example allow the Aviatrix Controller to connect to your Kubernetes clusters. |
Step 2. Add a Role Assignment in the Azure Portal
In Azure portal > Subscriptions > Access Control (IAM) > Add > Add role assignment.
At Role assignment, fill the fields as shown below.
Role |
Aviatrix Controller Custom Role (this is the role created from above) |
Assign access to |
User, group, or service principal |
Select |
My-new-controller (this is the registered application name for the Controller) |
Once the above step is complete, you have assigned the My-new-controller (as a service principal) the custom role called "Aviatrix Controller Custom Role."
For more information on how to PowerShell to create custom role on Azure, refer to this link..