Creating Custom Azure Roles with JSON Templates


A series of predefined roles are available for asignment within Azure.

The first place to start with defining custom roles is to export existing roles  using the PowerShell cmdlet Get-AzureRMRoleDefinition.  The snippet below writes the inbuilt Reader role to file.

$rolename = "Reader"
Get-AzureRmRoleDefinition -Name "$($rolename)" | ConvertTo-Json | Out-File "C:\Temp\$($rolename).json"

Many of the templates use wildcards to allow operations.  This makes explicit and auditable allocation of rights difficult.

The complete list of available operations for each namespace can be retrieved using the cmdlet Get-AzureRMProviderOperation which does allow for each operation to be reviewed.

# Create a list of available operations for a namespace
$roleactions = Get-AzureRMProviderOperation Microsoft.RecoveryServices/* 
#Append commas and quotes to each retrieved operations for the namespace
$actionlist = ""
$actionlist = $roleactions.Operation | ForEach-Object{ '"' + $_ +'",' +"`r`n"}
#Remove new line and trailing comma
$actionlist = [string]$actionlist

The code snippit above will format the operations so they may be pasted into the actions section of a role template.

New templates can be uploaded with PowerShell and the NewAzureRMRoleDefinition command:

New-AzureRmRoleDefinition -InputFile "C:\Temp\Operator.json"