Cloud

Azure IAM Policies

When you run rpk cloud byoc azure apply to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the Azure API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users.

  • This page lists the IAM permissions Redpanda needs to create BYOC clusters. This does not pertain to BYOVNet clusters.

  • No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters.

Azure RBAC (role-based access control) is scoped to resource groups. For example:

"/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg",
            "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-network",
            "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-storage"
        ],
        "permissions": [
            {

Azure IAM policies

IAM policies are assigned to deployed Redpanda agents for BYOC Azure clusters that use the following Azure services:

actions = [
  # Ability to read the resource group
  "Microsoft.Resources/subscriptions/resourcegroups/read",
  # Storage Containers
  "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
  "Microsoft.Storage/storageAccounts/blobServices/containers/read",
  "Microsoft.Storage/storageAccounts/blobServices/containers/write",
  "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
  # Create DNS Zones
  "Microsoft.Network/dnszones/read",
  "Microsoft.Network/dnszones/write",
  "Microsoft.Network/dnszones/delete",
  # Workaround for TF needing to import the zone when it already exists.
  "Microsoft.Network/dnszones/SOA/read",
  # Private link read
  "Microsoft.Network/privatelinkservices/read",
  # The agent needs access to the storage account in order to access the data
  "Microsoft.Storage/storageAccounts/read",
  # Manage AKS Clusters
  "Microsoft.ContainerService/managedClusters/read",
  "Microsoft.ContainerService/managedClusters/delete",
  "Microsoft.ContainerService/managedClusters/write",
  "Microsoft.ContainerService/managedClusters/agentPools/read",
  "Microsoft.ContainerService/managedClusters/agentPools/write",
  "Microsoft.ContainerService/managedClusters/agentPools/delete",
  "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action",
  # Without this, cannot create node pools to the specified AKS cluster
  "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
  # Allows joining to a VNet
  "Microsoft.Network/virtualNetworks/read",
  "Microsoft.Network/virtualNetworks/subnets/join/action",
  "Microsoft.Network/virtualNetworks/subnets/read",
  "Microsoft.Network/virtualNetworks/subnets/write",
  "Microsoft.Network/virtualNetworks/subnets/delete",
  # Allow agent to manage role assignments for the Redpanda cluster
  "Microsoft.Authorization/roleAssignments/read",
  "Microsoft.Authorization/roleAssignments/write",
  "Microsoft.Authorization/roleAssignments/delete",
  # Allow agent to manage role definitions for the Redpana cluster
  "Microsoft.Authorization/roleDefinitions/write",
  "Microsoft.Authorization/roleDefinitions/read",
  "Microsoft.Authorization/roleDefinitions/delete",
  # Allow agent to manage identities for the Redpanda cluster
  "Microsoft.ManagedIdentity/userAssignedIdentities/read",
  "Microsoft.ManagedIdentity/userAssignedIdentities/write",
  "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
  "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
  "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
  "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
  "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
  # Allow agent to manage tiered storage bucket for the Redpanda cluster
  "Microsoft.Storage/storageAccounts/read",
  "Microsoft.Storage/storageAccounts/write",
  "Microsoft.Storage/storageAccounts/delete",
  "Microsoft.Storage/storageAccounts/blobServices/read",
  "Microsoft.Storage/storageAccounts/blobServices/write",
  # Allow agent to read public IPs
  "Microsoft.Network/publicIPAddresses/read",
  "Microsoft.Network/publicIPAddresses/write",
  "Microsoft.Network/publicIPAddresses/delete",
  # Creating the RP storage account requires these additional permissions to workaround  https://github.com/hashicorp/terraform-provider-azurerm/issues/25521
  "Microsoft.Storage/storageAccounts/queueServices/read",
  "Microsoft.Storage/storageAccounts/fileServices/read",
  "Microsoft.Storage/storageAccounts/fileServices/shares/read",
  "Microsoft.Storage/storageAccounts/listkeys/action",
  # Read the keyvault
  "Microsoft.KeyVault/vaults/read"
]
data_actions = [
  # Storage Containers
  "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
  "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
  "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
  "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
  "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
]