Virtual Machine Contributor – Can’t create a VM with PublicIP or Network Security Group

by | Sep 7, 2019 | IT Tips | 0 comments

Just testing the Virtual Machine Contributor role and if you have public IP and Network Security Group selected (things that you would assume would be wanted when creating a VM) you get a Validation failure

?
1
{"code":"InvalidTemplateDeployment","message":"Deployment failed with multiple errors: 'Authorization failed for template resource 'toggen-vm-03-nsg' of type 'Microsoft.Network/networkSecurityGroups'. The client 'james@example.onmicrosoft.com' with object id '255b1f77-a36c-466a-9a88-6546ffb25529' does not have permission to perform action 'Microsoft.Network/networkSecurityGroups/write' at scope '/subscriptions/<SUBSCRIPTION ID>/resourceGroups/Toggen-VM/providers/Microsoft.Network/networkSecurityGroups/toggen-vm-03-nsg'.:Authorization failed for template resource 'toggen-vm-03-ip' of type 'Microsoft.Network/publicIpAddresses'. The client 'james@example.onmicrosoft.com' with object id '255b1f77-a36c-466a-9a88-6546ffb25529' does not have permission to perform action 'Microsoft.Network/publicIpAddresses/write' at scope '/subscriptions/<SUBSCRIPTION ID>/resourceGroups/Toggen-VM/providers/Microsoft.Network/publicIpAddresses/toggen-vm-03-ip'.'"}

So it looks like you need to add permissions or a custom role of:

Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/publicIpAddresses/write

?
1
Get-AzRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json | Out-File "VirtualMachineContributor.json"

Above we get a default defintion of the Virtual Machine Contributor from Azure using power shell or using az-cli

?
1
az role definition list -n "Virtual Machine Contributor"

Add the read and write options for NSG and Public IP's, remove the "Id" property, change "IsCustom" to true and change assignable scope from / to your subscription Id.

Then load it to Azure

?
1
New-AzRoleDefinition -InputFile ./VirtualMachineContributorCustom.json
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
{
  "Name": "Toggen Virtual Machine Contributor",
  "IsCustom": true,
  "Description": "Lets you manage virtual machines, Including adding PublicIP and NetworkSecurityGroups but not access to them, and not the virtual network or storage account they're connected to.",
  "Actions": [
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/write",
    "Microsoft.Network/publicIpAddresses/write",
    "Microsoft.Network/publicIpAddresses/read",
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/availabilitySets/*",
    "Microsoft.Compute/locations/*",
    "Microsoft.Compute/virtualMachines/*",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.DevTestLab/schedules/*",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
    "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
    "Microsoft.Network/loadBalancers/probes/join/action",
    "Microsoft.Network/loadBalancers/read",
    "Microsoft.Network/locations/*",
    "Microsoft.Network/networkInterfaces/*",
    "Microsoft.Network/networkSecurityGroups/join/action",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/publicIPAddresses/join/action",
    "Microsoft.Network/publicIPAddresses/read",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/join/action",
    "Microsoft.RecoveryServices/locations/*",
    "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
    "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
    "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
    "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
    "Microsoft.RecoveryServices/Vaults/read",
    "Microsoft.RecoveryServices/Vaults/usages/read",
    "Microsoft.RecoveryServices/Vaults/write",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.SqlVirtualMachine/*",
    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Support/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/716afb31-54e7-4e43-8c36-e29336b31ec3"
  ]
}

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.