How to use permissions in Azure Spring Apps

Note

Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. Custom roles extend Azure built-in roles with various stock permissions.

We'll implement the following custom roles.

  • Developer role:

    • Deploy
    • Test
    • Restart apps
    • Apply and make changes to app configurations in the Git repository
    • Get log streams
  • DevOps Engineer role:

    • Create, read, update, and delete everything in Azure Spring Apps
  • Ops - Site Reliability Engineering role:

    • Restart apps
    • Get log streams
    • Can't make changes to apps or configurations
  • Azure Pipelines / Jenkins / GitHub Actions role:

    • Perform create, read, update, and delete operations
    • Use Terraform or ARM templates to create and configure everything in Azure Spring Apps and apps within a service instance: Azure Pipelines, Jenkins, and GitHub Actions

Define the Developer role

The Developer role includes permissions to restart apps and see their log streams. This role can't make changes to apps or configurations.

  1. In the Azure portal, open the subscription where you want to assign the custom role.

  2. Open Access control (IAM).

  3. Select Add.

  4. Select Add custom role.

  5. Select Next:

    Screenshot that shows the Basics tab of the Create a custom role window.

  6. Select Add permissions:

    Screenshot that shows the Add permissions button.

  7. In the search box, search for Microsoft.app. Select Azure Spring Apps:

    Screenshot of the Azure portal that shows the Add permissions page search results with Azure Spring Apps highlighted.

  8. Select the permissions for the Developer role.

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : List Azure Spring Apps service instance test keys

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Read : Read Azure Spring Apps application
    • Other : Get Azure Spring Apps application resource upload URL

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Read : Read Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Azure Spring Apps application deployment
    • Read : Read Azure Spring Apps application deployment
    • Other : Start Azure Spring Apps application deployment
    • Other : Stop Azure Spring Apps application deployment
    • Other : Restart Azure Spring Apps application deployment
    • Other : Get Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/domains, select:

    • Read : Read Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/certificates, select:

    • Read : Read Azure Spring Apps certificate

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Screenshot of Azure portal that shows the selections for Developer permissions.

  9. Select Add.

  10. Review the permissions.

  11. Select Review and create.

Define the DevOps Engineer role

This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.

  1. Repeat steps 1 through 4 in the procedure for adding the Developer role.

  2. Select the permissions for the DevOps Engineer role:

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Delete : Delete Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : Enable Azure Spring Apps service instance test endpoint
    • Other : Disable Azure Spring Apps service instance test endpoint
    • Other : List Azure Spring Apps service instance test keys
    • Other : Regenerate Azure Spring Apps service instance test key

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Write : Write Azure Spring Apps application
    • Delete : Delete Azure Spring Apps application
    • Read : Read Azure Spring Apps application
    • Other : Get Azure Spring Apps application resource upload URL
    • Other : Validate Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Write : Write Azure Spring Apps application binding
    • Delete : Delete Azure Spring Apps application binding
    • Read : Read Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Azure Spring Apps application deployment
    • Delete : Delete Azure Spring Apps application deployment
    • Read : Read Azure Spring Apps application deployment
    • Other : Start Azure Spring Apps application deployment
    • Other : Stop Azure Spring Apps application deployment
    • Other : Restart Azure Spring Apps application deployment
    • Other : Get Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:

    • Read : List application deployment available skus

    Under Microsoft.AppPlatform/locations, select:

    • Other : Check name availability

    Under Microsoft.AppPlatform/locations/operationResults/Spring select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Under Microsoft.AppPlatform/skus, select:

    • Read : List available skus

    Screenshot of Azure portal that shows the selections for DevOps permissions.

  3. Select Add.

  4. Review the permissions.

  5. Select Review and create.

Define the Ops - Site Reliability Engineering role

This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps.

  1. Repeat steps 1 through 4 from the procedure for adding the Developer role.

  2. Select the permissions for the Ops - Site Reliability Engineering role:

    Under Microsoft.AppPlatform/Spring, select:

    • Read : Get Azure Spring Apps service instance
    • Other : List Azure Spring Apps service instance test keys

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Read : Read Azure Spring Apps application

    Under Microsoft.AppPlatform/apps/deployments, select:

    • Read : Read Azure Spring Apps application deployment
    • Other : Start Azure Spring Apps application deployment
    • Other : Stop Azure Spring Apps application deployment
    • Other : Restart Azure Spring Apps application deployment

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Screenshot of Azure portal that shows the selections for Ops - Site Reliability Engineering permissions.

  3. Select Add.

  4. Review the permissions.

  5. Select Review and create.

Define the Azure Pipelines / Jenkins / GitHub Actions role

This role can create and configure everything in Azure Spring Apps and apps with a service instance. This role is for releasing or deploying code.

  1. Repeat steps 1 through 4 from the procedure for adding the Developer role.

  2. Open the Permissions options.

  3. Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role:

    Under Microsoft.AppPlatform/Spring, select:

    • Write : Create or Update Azure Spring Apps service instance
    • Delete : Delete Azure Spring Apps service instance
    • Read : Get Azure Spring Apps service instance
    • Other : Enable Azure Spring Apps service instance test endpoint
    • Other : Disable Azure Spring Apps service instance test endpoint
    • Other : List Azure Spring Apps service instance test keys
    • Other : Regenerate Azure Spring Apps service instance test key

    Under Microsoft.AppPlatform/Spring/apps, select:

    • Write : Write Azure Spring Apps application
    • Delete : Delete Azure Spring Apps application
    • Read : Read Azure Spring Apps application
    • Other : Get Azure Spring Apps application resource upload URL
    • Other : Validate Azure Spring Apps application custom domain

    Under Microsoft.AppPlatform/Spring/apps/bindings, select:

    • Write : Write Azure Spring Apps application binding
    • Delete : Delete Azure Spring Apps application binding
    • Read : Read Azure Spring Apps application binding

    Under Microsoft.AppPlatform/Spring/apps/deployments, select:

    • Write : Write Azure Spring Apps application deployment
    • Delete : Delete Azure Spring Apps application deployment
    • Read : Read Azure Spring Apps application deployment
    • Other : Start Azure Spring Apps application deployment
    • Other : Stop Azure Spring Apps application deployment
    • Other : Restart Azure Spring Apps application deployment
    • Other : Get Azure Spring Apps application deployment log file URL

    Under Microsoft.AppPlatform/Spring/apps/deployments/skus, select:

    • Read : List application deployment available skus

    Under Microsoft.AppPlatform/locations, select:

    • Other : Check name availability

    Under Microsoft.AppPlatform/locations/operationResults/Spring, select:

    • Read : Read operation result

    Under Microsoft.AppPlatform/locations/operationStatus/operationId, select:

    • Read : Read operation status

    Under Microsoft.AppPlatform/skus, select:

    • Read : List available skus

    Screenshot of Azure portal that shows the selections for Azure Pipelines / Jenkins / GitHub Actions permissions.

  4. Select Add.

  5. Review the permissions.

  6. Select Review and create.

Next steps

For more information about three methods that define custom permissions, see: