Reference

Azure Role Definitions

Coiled requires a limited set of Azure permissions to operate in your account.

Resource Group Role

This grants permission to manages compute, network, and storage resources for your Coiled clusters.

Coiled Resource Group Role Actions

{
  "Name": "Coiled Resource Group Role",
  "IsCustom": true,
  "Description": "Setup and ongoing Coiled permissions required at resource group scope",
  "Actions": [
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.Network/*/read",
    "Microsoft.Network/applicationSecurityGroups/*",
    "Microsoft.Network/networkSecurityGroups/*",
    "Microsoft.Network/publicIPAddresses/delete",
    "Microsoft.Network/publicIPAddresses/write",
    "Microsoft.Network/virtualNetworks/subnets/join/action",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Storage/storageAccounts/managementPolicies/write",
    "Microsoft.Storage/storageAccounts/write"
  ],
  "NotActions": [],
  "AssignableScopes": ["/subscriptions/{subscription_id}"]
}

Log Access Role

This role provides access to read and write cluster logs to Azure Storage.

Coiled Log Access Role Actions

{
  "Name": "Coiled Log Access",
  "IsCustom": true,
  "Description": "Role needs resource group scope for setup, then storage account scope for on-going",
  "Actions": [
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/listkeys/action"
  ],
  "NotActions": [],
  "AssignableScopes": ["/subscriptions/{subscription_id}"]
}