Docs Cloud Security Authorization Azure: Cloud IAM Policies Configure IAM Policies: Azure Redpanda automatically assigns IAM policies to agents at the time they are deployed. The permissions grant that agent access to BYOC clusters in AWS, GCP, or Azure. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access so that Redpanda brokers can communicate with the BYOC clusters. See also: BYOC architecture Azure RBAC (role-based access control) is scoped to resource groups. For example: "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg", "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-network", "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-storage" ], "permissions": [ { Azure IAM policies IAM policies are assigned to deployed Redpanda agents for BYOC Azure clusters that use the following Azure services: actions = [ # Ability to read the resource group "Microsoft.Resources/subscriptions/resourcegroups/read", # Storage Containers "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", # Create DNS Zones "Microsoft.Network/dnszones/read", "Microsoft.Network/dnszones/write", "Microsoft.Network/dnszones/delete", # Workaround for TF needing to import the zone when it already exists. "Microsoft.Network/dnszones/SOA/read", # Private link read "Microsoft.Network/privatelinkservices/read", # The agent needs access to the storage account in order to access the data "Microsoft.Storage/storageAccounts/read", # Manage AKS Clusters "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/delete", "Microsoft.ContainerService/managedClusters/write", "Microsoft.ContainerService/managedClusters/agentPools/read", "Microsoft.ContainerService/managedClusters/agentPools/write", "Microsoft.ContainerService/managedClusters/agentPools/delete", "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action", # Without this, cannot create node pools to the specified AKS cluster "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", # Allows joining to a VNet "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/subnets/delete", # Allow agent to manage role assignments for the Redpanda cluster "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete", # Allow agent to manage role definitions for the Redpana cluster "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Authorization/roleDefinitions/delete", # Allow agent to manage identities for the Redpanda cluster "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete", # Allow agent to manage tiered storage bucket for the Redpanda cluster "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/delete", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/write", # Allow agent to read public IPs "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/publicIPAddresses/delete", # Creating the RP storage account requires these additional permissions to workaround https://github.com/hashicorp/terraform-provider-azurerm/issues/25521 "Microsoft.Storage/storageAccounts/queueServices/read", "Microsoft.Storage/storageAccounts/fileServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/listkeys/action", # Read the keyvault "Microsoft.KeyVault/vaults/read" ] data_actions = [ # Storage Containers "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" ] Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution GCP: Cloud IAM Policies Encryption