Docs Cloud Security Authorization Azure IAM Policies Azure IAM Policies When you run rpk cloud byoc azure apply to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the Azure API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. This page lists the IAM permissions Redpanda needs to create BYOC clusters. This does not pertain to BYOVPC clusters. No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. Azure RBAC (role-based access control) is scoped to resource groups. For example: "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg", "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-network", "/subscriptions/<subscriptionid>/resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-storage" ], "permissions": [ { Azure IAM policies IAM policies are assigned to deployed Redpanda agents for BYOC Azure clusters that use the following Azure services: actions = [ # Ability to read the resource group "Microsoft.Resources/subscriptions/resourcegroups/read", # Storage Containers "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", # Create DNS Zones "Microsoft.Network/dnszones/read", "Microsoft.Network/dnszones/write", "Microsoft.Network/dnszones/delete", # Workaround for TF needing to import the zone when it already exists. "Microsoft.Network/dnszones/SOA/read", # Private link read "Microsoft.Network/privatelinkservices/read", # The agent needs access to the storage account in order to access the data "Microsoft.Storage/storageAccounts/read", # Manage AKS Clusters "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/delete", "Microsoft.ContainerService/managedClusters/write", "Microsoft.ContainerService/managedClusters/agentPools/read", "Microsoft.ContainerService/managedClusters/agentPools/write", "Microsoft.ContainerService/managedClusters/agentPools/delete", "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action", # Without this, cannot create node pools to the specified AKS cluster "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", # Allows joining to a VNet "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/subnets/delete", # Allow agent to manage role assignments for the Redpanda cluster "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete", # Allow agent to manage role definitions for the Redpana cluster "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Authorization/roleDefinitions/delete", # Allow agent to manage identities for the Redpanda cluster "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete", # Allow agent to manage tiered storage bucket for the Redpanda cluster "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/delete", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/write", # Allow agent to read public IPs "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/publicIPAddresses/delete", # Creating the RP storage account requires these additional permissions to workaround https://github.com/hashicorp/terraform-provider-azurerm/issues/25521 "Microsoft.Storage/storageAccounts/queueServices/read", "Microsoft.Storage/storageAccounts/fileServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/listkeys/action", # Read the keyvault "Microsoft.KeyVault/vaults/read" ] data_actions = [ # Storage Containers "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" ] Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution AWS IAM Policies GCP IAM Policies