Permission | Description |
---|---|
Microsoft.Resources/subscriptions/resourcegroups/read | Required. Checks if the cluster resource group exists. |
Microsoft.Resources/subscriptions/resourcegroups/write Microsoft.Resources/subscriptions/resourcegroups/delete | Required when the cluster resource group is not specified in the advanced configuration. If the cluster resource group is not specified in the advanced configuration, then the Secure Agent creates a new resource group in a subscription named <cluster-instance-id>-rg. |
Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listKeys/action | Required. Lists storage account keys and performs storage operations. These actions assume that the staging storage account is within the cluster resource group. |
Microsoft.Compute/virtualMachineScaleSets/delete Microsoft.Compute/virtualMachineScaleSets/write Microsoft.Compute/virtualMachineScaleSets/read | Required. Discovers and manages virtual machine scale sets (VMSS) for master and worker nodes. |
Microsoft.Network/loadBalancers/delete Microsoft.Network/loadBalancers/write Microsoft.Network/loadBalancers/read | Required. Discovers and manages load-balancer used for API-server endpoint. |
Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/networkSecurityGroups/write Microsoft.Network/networkSecurityGroups/read | Required. Discovers and manages network security groups created for master and worker nodes. If the network security group (NSG) is attached to a subnet, these permissions override rules specified in the subnet. |
Microsoft.Network/virtualNetworks/read | Required. Discovers the VNet for a cluster. |
Microsoft.Network/virtualNetworks/delete Microsoft.Network/virtualNetworks/write | Required when a VNet is not specified in the cluster asset. |
Microsoft.Network/publicIPAddresses/delete Microsoft.Network/publicIPAddresses/write Microsoft.Network/publicIPAddresses/read Microsoft.Network/publicIPAddresses/join/action | Required. Discovers and manages the public IP address associated with the cluster end-point. The join action is required to let the load-balancer use this public IP address. |
Microsoft.Network/virtualNetworks/subnets/join/action | Required. Allows master and worker nodes to join a specific subnet. This permission is required for any form of VNet setting. If you use an existing VNet, the scope for this permission must include the resource group that holds the VNet. |
Microsoft.Network/virtualNetworks/subnets/read | Required if you use an existing VNet. The scope for this permission must include the resource group that holds the VNet. |
Microsoft.Network/virtualNetworks/subnets/write | Required. Used to create and update a subnet. |
Microsoft.Network/networkSecurityGroups/join/action | Required. Allows the master and worker nodes to attach a pre-created network security group (NSG). |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | Required. Allows the master and worker nodes to be added to a cluster end-point. Master nodes are added to the cluster end-point during cluster provisioning. |
Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read | Required. Used by the Secure Agent to get the IP addresses assigned to the master and worker nodes. The Secure Agent uses these permissions to connect to master nodes using SSH and download the kubeconfig file for a given cluster. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read Microsoft.Compute/virtualMachineScaleSets/instanceView/read | Required. Checks the master and worker node status. |
Microsoft.Compute/virtualMachineScaleSets/manualupgrade/action | Required when you use the initialization script. Also required to manually update the master and worker nodes to apply a script extension. |
Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleDefinitions/read | Required. Validates the advanced configuration. |
Microsoft.Compute/virtualMachines/read Microsoft.ManagedIdentity/userAssignedIdentities/assign/action | Required when you use managed identity authentication to connect to a source or target. The Secure Agent uses these permissions to detect the managed identity of the agent and assign the identity to the virtual machine scale sets. |