Archera requests minimal roles using a custom JSON file which is downloaded at onboarding time. This JSON file is then uploaded to your Azure account to create a custom IAM role.
Archera Custom Role includes:
Role | Description |
*/read | To read Azure resources |
Microsoft.Resources/subscriptions/resourceGroups/write | We create a Resource Group inside your Azure Subscription |
Microsoft.Storage/storageAccounts/write
| We create a Storage Account inside your Azure Subscription |
Microsoft.Storage/storageAccounts/listKeys/action | To list files inside the Storage Account |
Microsoft.CostManagement/exports/write | We create a Cost Exports at Subscription scope(s) |
Microsoft.CostManagement/exports/read | To read Cost Export definition |
Microsoft.CostManagement/exports/action | To execute a Cost Export |
Microsoft.CostManagement/exports/run/action | To execute a Cost Export |
Additionally, using this role Archera creates minimal resources inside your Azure account to create, store and read your Cost and Usage reports. For example, if your subscription_id = 282781fb-9d9c-43f3-93b9-118b35b38e2c, Archera will create following resources:
Resource Group - archeraresource282781fb
Storage Account - archerastorage282781fb
Cost Exports - archeraExportDaily282781fb