ARM template permissions
To deploy the agent using the ARM template, Azure permissions are required as described in this article. You may require input from your organization's cloud administrator for access and permissions.
The following list summarizes the permissions required:
- Resource Group
- Contributor or Owner role to create and manage resource groups.
- Virtual Network
- Network Contributor role to create and manage virtual networks and subnets.
- Key Vault
- Key Vault Contributor role to create key vaults.
- Key Vault Secrets User role for the agent's managed identity to list and get secret values.
- Key Vault Administrator or Key Vault Secrets Officer role for other users to list and edit key vault secrets if the ARM template creates the key vault.
- Managed Identity
- Managed Identity Contributor role to create and manage managed identities.
- Container App
- Container App Contributor role to deploy and manage container apps.
- Log Analytics Workspace
- Log Analytics Contributor role to create and manage log analytics workspaces.
- General Permissions
- Contributor or Owner role on the subscription to manage overall resources and permissions.
Deploying resources
The ARM template creates or edits multiple different resources, and the user will need roles capable of deploying these specific resources, as well as the correct role to deploy an ARM template. These resources are:
| Resource name |
Type |
| Virtual Network |
Microsoft.Network/virtualNetworks |
| Virtual Network Subnet |
Microsoft.Network/virtualNetworks/subnets |
| Container App Environment |
Microsoft.App/managedEnvironments |
| Key Vault |
Microsoft.KeyVault/vaults |
| Managed Identity |
Microsoft.ManagedIdentity/userAssignedIdentities |
| Role Assignment |
Microsoft.Authorization/roleAssignments |
| Log Analytics Workspace |
Microsoft.OperationalInsights/workspaces |
| Container App |
Microsoft.App/containerApps |
To create the necessary resources, you will need the following permissions:
| Action |
Description |
| Microsoft.Resources/subscriptions/resourceGroups/read |
Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/resourceGroups/write |
Creates or updates a resource group. |
| Microsoft.Network/virtualNetworks/read |
Gets the virtual network definition. |
| Microsoft.Network/virtualNetworks/write |
Creates a virtual network or updates an existing virtual network. |
| Microsoft.Network/virtualNetworks/peer/action |
Peers a virtual network with another virtual network. |
| Microsoft.KeyVault/vaults/read |
Gets the properties of a key vault. |
| Microsoft.KeyVault/vaults/write |
Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions. |
Fine-grained permissions
These are the fine-grained permissions that are required for using the ARM template. These could be added to a custom role that is then conferred to a user to allow them to deploy the template.
For more information, read Azure permissions in the Azure documentation.
Deployments (microsoft.resources/deployments)
| Action |
Description |
| Microsoft.Resources/deployments/read |
Gets or lists deployments. |
| Microsoft.Resources/deployments/write |
Creates or updates a deployment. |
| Microsoft.Resources/deployments/delete |
Deletes a deployment. |
| Microsoft.Resources/deployments/cancel/action |
Cancels a deployment. |
| Microsoft.Resources/deployments/validate/action |
Validates a deployment. |
| Microsoft.Resources/deployments/whatIf/action |
Predicts template deployment changes. |
| Microsoft.Resources/deployments/exportTemplate/action |
Exports the template for a deployment. |
| Microsoft.Resources/deployments/operations/read |
Gets or lists deployment operations. |
| Microsoft.Resources/deployments/operationstatuses/read |
Gets or lists deployment operation statuses. |
Container app (microsoft.app/containerapps)
| Action |
Description |
| microsoft.app/containerapps/write |
Creates or updates a container app. |
| microsoft.app/containerapps/delete |
Deletes a container cpp. |
| microsoft.app/containerapps/read |
Gets a container app. |
| microsoft.app/containerapps/stop/action |
Stops a container app. |
| microsoft.app/containerapps/start/action |
Starts a container app. |
| microsoft.app/containerapps/revisions/read |
Gets a container app revision. |
| microsoft.app/containerapps/revisions/restart/action |
Restarts a container app revision. |
| microsoft.app/containerapps/revisions/activate/action |
Activates a container app revision. |
| microsoft.app/containerapps/revisions/deactivate/action |
Deactivates a container app revision. |
| microsoft.app/containerapps/revisions/replicas/read |
Gets a replica of a container app revision. |
Managed environments (microsoft.app/managedenvironments)
| Action |
Description |
| microsoft.app/managedenvironments/join/action |
Allows the user to create a container app in a managed environment. |
| microsoft.app/managedenvironments/read |
Gets a managed environment. |
| microsoft.app/managedenvironments/write |
Creates or updates a managed environment. |
| microsoft.app/managedenvironments/checknameavailability/action |
Checks resource name availability for a managed environment. |
Virtual network (microsoft.networking/virtualnetworks)
| Action |
Description |
| Microsoft.Network/virtualNetworks/read |
Gets the virtual network definition. |
| Microsoft.Network/virtualNetworks/write |
Creates a virtual network or updates an existing virtual network. |
| Microsoft.Network/virtualNetworks/peer/action |
Peers a virtual network with another virtual network. |
Key vault (microsoft.keyvault/vaults)
| Action |
Description |
| Microsoft.KeyVault/vaults/read |
Views the properties of a key vault. |
| Microsoft.KeyVault/vaults/write |
Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions. |
Managed identity (Microsoft.ManagedIdentity/userAssignedIdentities)
| Action |
Description |
| Microsoft.ManagedIdentity/userAssignedIdentities/assign/action |
RBAC (Role Based Access Control) action for assigning an existing user assigned identity to a resource. |
| Microsoft.ManagedIdentity/userAssignedIdentities/read |
Gets an existing user assigned identity. |
| Microsoft.ManagedIdentity/userAssignedIdentities/write |
Creates a new user assigned identity or updates the tags associated with an existing user assigned identity. |
Role assignments (Microsoft.Authorization/roleAssignments)
| Action |
Description |
| Microsoft.Authorization/roleAssignments/read |
Gets information about a role assignment. |
| Microsoft.Authorization/roleAssignments/write |
Creates a role assignment at the specified scope. |
Log analytics (Microsoft.OperationalInsights/workspaces)
| Action |
Description |
| Microsoft.OperationalInsights/workspaces/write |
Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. |
| Microsoft.OperationalInsights/workspaces/read |
Gets an existing workspace. |
| Microsoft.OperationalInsights/workspaces/listKeys/action |
Retrieves the list keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. |
Built-in roles
There is an Azure built-in role that will enable the user to deploy the template. This has a wider level of access than is required by the template, so you may prefer to create your own custom role with the fine-grained permissions described above. For more information, read Azure built-in role in the Azure documentation.
| Name |
ID |
Description |
| Contributor |
b24988ac-6180-42a0-ab88-20f7382dd24c |
Grants full access to manage all resources, but doesn't allow you to assign roles in Azure RBAC (Role Based Access control), manage assignments in Azure Blueprints, or share image galleries. |
Custom role example
This is an example of a custom role that could be created to reduce the scope of permissions required to deploy the template.
{
"id": "/subscriptions/d4538124-1936-43b3-87fb-f9ec5e395616/providers/Microsoft.Authorization/roleDefinitions/17098b84-72ad-4308-8d83-f16dca79ef56",
"properties": {
"roleName": "Documentation Test Role",
"description": "Role to test for documentation purposes - to verify that we have all the correct permissions to deploy the ARM template",
"assignableScopes": [
"/subscriptions/d4538124-1936-43b3-87fb-f9ec5e395616/resourceGroups/jack-cha-demo"
],
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/*",
"microsoft.app/containerapps/write",
"microsoft.app/containerapps/delete",
"microsoft.app/containerapps/read",
"microsoft.app/containerapps/stop/action",
"microsoft.app/containerapps/start/action",
"microsoft.app/containerapps/revisions/read",
"microsoft.app/containerapps/revisions/restart/action",
"microsoft.app/containerapps/revisions/activate/action",
"microsoft.app/containerapps/revisions/deactivate/action",
"microsoft.app/containerapps/revisions/replicas/read",
"microsoft.app/managedenvironments/join/action",
"microsoft.app/managedenvironments/read",
"microsoft.app/managedenvironments/write",
"microsoft.app/managedenvironments/delete",
"microsoft.app/managedenvironments/checknameavailability/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/listKeys/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}