How to use permissions in Azure Spring Apps
Note
Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. Custom roles extend Azure built-in roles with various stock permissions.
We'll implement the following custom roles.
Developer role:
- Deploy
- Test
- Restart apps
- Apply and make changes to app configurations in the Git repository
- Get log streams
DevOps Engineer role:
- Create, read, update, and delete everything in Azure Spring Apps
Ops - Site Reliability Engineering role:
- Restart apps
- Get log streams
- Can't make changes to apps or configurations
Azure Pipelines / Jenkins / GitHub Actions role:
- Perform create, read, update, and delete operations
- Use Terraform or ARM templates to create and configure everything in Azure Spring Apps and apps within a service instance: Azure Pipelines, Jenkins, and GitHub Actions
Define the Developer role
The Developer role includes permissions to restart apps and see their log streams. This role can't make changes to apps or configurations.
In the Azure portal, open the subscription where you want to assign the custom role.
Open Access control (IAM).
Select Add.
Select Add custom role.
Select Next:
Select Add permissions:
In the search box, search for Microsoft.app. Select Azure Spring Apps:
Select the permissions for the Developer role.
Under Microsoft.AppPlatform/Spring, select:
- Write : Create or Update Azure Spring Apps service instance
- Read : Get Azure Spring Apps service instance
- Other : List Azure Spring Apps service instance test keys
Under Microsoft.AppPlatform/Spring/apps, select:
- Read : Read Azure Spring Apps application
- Other : Get Azure Spring Apps application resource upload URL
Under Microsoft.AppPlatform/Spring/apps/bindings, select:
- Read : Read Azure Spring Apps application binding
Under Microsoft.AppPlatform/Spring/apps/deployments, select:
- Write : Write Azure Spring Apps application deployment
- Read : Read Azure Spring Apps application deployment
- Other : Start Azure Spring Apps application deployment
- Other : Stop Azure Spring Apps application deployment
- Other : Restart Azure Spring Apps application deployment
- Other : Get Azure Spring Apps application deployment log file URL
Under Microsoft.AppPlatform/Spring/apps/domains, select:
- Read : Read Azure Spring Apps application custom domain
Under Microsoft.AppPlatform/Spring/certificates, select:
- Read : Read Azure Spring Apps certificate
Under Microsoft.AppPlatform/locations/operationResults/Spring, select:
- Read : Read operation result
Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:
- Read : Read operation status
Select Add.
Review the permissions.
Select Review and create.
Define the DevOps Engineer role
This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.
Repeat steps 1 through 4 in the procedure for adding the Developer role.
Select the permissions for the DevOps Engineer role:
Under Microsoft.AppPlatform/Spring, select:
- Write : Create or Update Azure Spring Apps service instance
- Delete : Delete Azure Spring Apps service instance
- Read : Get Azure Spring Apps service instance
- Other : Enable Azure Spring Apps service instance test endpoint
- Other : Disable Azure Spring Apps service instance test endpoint
- Other : List Azure Spring Apps service instance test keys
- Other : Regenerate Azure Spring Apps service instance test key
Under Microsoft.AppPlatform/Spring/apps, select:
- Write : Write Azure Spring Apps application
- Delete : Delete Azure Spring Apps application
- Read : Read Azure Spring Apps application
- Other : Get Azure Spring Apps application resource upload URL
- Other : Validate Azure Spring Apps application custom domain
Under Microsoft.AppPlatform/Spring/apps/bindings, select:
- Write : Write Azure Spring Apps application binding
- Delete : Delete Azure Spring Apps application binding
- Read : Read Azure Spring Apps application binding
Under Microsoft.AppPlatform/Spring/apps/deployments, select:
- Write : Write Azure Spring Apps application deployment
- Delete : Delete Azure Spring Apps application deployment
- Read : Read Azure Spring Apps application deployment
- Other : Start Azure Spring Apps application deployment
- Other : Stop Azure Spring Apps application deployment
- Other : Restart Azure Spring Apps application deployment
- Other : Get Azure Spring Apps application deployment log file URL
Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:
- Read : List application deployment available skus
Under Microsoft.AppPlatform/locations, select:
- Other : Check name availability
Under Microsoft.AppPlatform/locations/operationResults/Spring select:
- Read : Read operation result
Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:
- Read : Read operation status
Under Microsoft.AppPlatform/skus, select:
- Read : List available skus
Select Add.
Review the permissions.
Select Review and create.
Define the Ops - Site Reliability Engineering role
This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.
Repeat steps 1 through 4 from the procedure for adding the Developer role.
Select the permissions for the Ops - Site Reliability Engineering role:
Under Microsoft.AppPlatform/Spring, select:
- Read : Get Azure Spring Apps service instance
- Other : List Azure Spring Apps service instance test keys
Under Microsoft.AppPlatform/Spring/apps, select:
- Read : Read Azure Spring Apps application
Under Microsoft.AppPlatform/apps/deployments, select:
- Read : Read Azure Spring Apps application deployment
- Other : Start Azure Spring Apps application deployment
- Other : Stop Azure Spring Apps application deployment
- Other : Restart Azure Spring Apps application deployment
Under Microsoft.AppPlatform/locations/operationResults/Spring, select:
- Read : Read operation result
Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:
- Read : Read operation status
Select Add.
Review the permissions.
Select Review and create.
Define the Azure Pipelines / Jenkins / GitHub Actions role
This role can create and configure everything in Azure Spring Apps and apps with a service instance. This role is for releasing or deploying code.
Repeat steps 1 through 4 from the procedure for adding the Developer role.
Open the Permissions options.
Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role:
Under Microsoft.AppPlatform/Spring, select:
- Write : Create or Update Azure Spring Apps service instance
- Delete : Delete Azure Spring Apps service instance
- Read : Get Azure Spring Apps service instance
- Other : Enable Azure Spring Apps service instance test endpoint
- Other : Disable Azure Spring Apps service instance test endpoint
- Other : List Azure Spring Apps service instance test keys
- Other : Regenerate Azure Spring Apps service instance test key
Under Microsoft.AppPlatform/Spring/apps, select:
- Write : Write Azure Spring Apps application
- Delete : Delete Azure Spring Apps application
- Read : Read Azure Spring Apps application
- Other : Get Azure Spring Apps application resource upload URL
- Other : Validate Azure Spring Apps application custom domain
Under Microsoft.AppPlatform/Spring/apps/bindings, select:
- Write : Write Azure Spring Apps application binding
- Delete : Delete Azure Spring Apps application binding
- Read : Read Azure Spring Apps application binding
Under Microsoft.AppPlatform/Spring/apps/deployments, select:
- Write : Write Azure Spring Apps application deployment
- Delete : Delete Azure Spring Apps application deployment
- Read : Read Azure Spring Apps application deployment
- Other : Start Azure Spring Apps application deployment
- Other : Stop Azure Spring Apps application deployment
- Other : Restart Azure Spring Apps application deployment
- Other : Get Azure Spring Apps application deployment log file URL
Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:
- Read : List application deployment available skus
Under Microsoft.AppPlatform/locations, select:
- Other : Check name availability
Under Microsoft.AppPlatform/locations/operationResults/Spring, select:
- Read : Read operation result
Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:
- Read : Read operation status
Under Microsoft.AppPlatform/skus, select:
- Read : List available skus
Select Add.
Review the permissions.
Select Review and create.
Next steps
For more information about three methods that define custom permissions, see: