kubernetes-sigs · wcrum · Jun 20, 2025
diff --git a/docs/book/src/topics/aks-dynamic-placement/rg_sub_role.json b/docs/book/src/topics/aks-dynamic-placement/rg_sub_role.json
diff --git a/docs/book/src/topics/aks-dynamic-placement/sub_role.json b/docs/book/src/topics/aks-dynamic-placement/sub_role.json
@@ -0,0 +1,32 @@
+{
+  "Name": "Dynamic Placement AKS Cluster Deployer (sub)",
+  "IsCustom": true,
+  "Description": "Can use to deploy AKS clusters using dynamic placement. This role has the permissions required at the subscription scope level.",
+  "Actions": [
+    "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/extensions/roles/read",
+    "Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
+    "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
+    "Microsoft.Compute/virtualMachineScaleSets/osUpgradeHistory/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/diagnosticSettings/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/logDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/metricDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
+    "Microsoft.Compute/virtualMachineScaleSets/read",
+    "Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read",
+    "Microsoft.Compute/virtualMachineScaleSets/skus/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/providers/Microsoft.Insights/metricDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommands/read",
+    "Microsoft.Compute/virtualMachineScaleSets/vmSizes/read"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/aks-static-placement/rg_sub_role.json b/docs/book/src/topics/aks-static-placement/rg_sub_role.json
diff --git a/docs/book/src/topics/aks-static-placement/sub_role.json b/docs/book/src/topics/aks-static-placement/sub_role.json
@@ -0,0 +1,32 @@
+{
+  "Name": "Static Placement AKS Cluster Deployer (sub)",
+  "IsCustom": true,
+  "Description": "Can use CAPZ to deploy AKS clusters using static placement. This role contains the permissions that must be applied at the subscription scope level.",
+  "Actions": [
+    "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/extensions/roles/read",
+    "Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
+    "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
+    "Microsoft.Compute/virtualMachineScaleSets/osUpgradeHistory/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/diagnosticSettings/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/logDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/metricDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
+    "Microsoft.Compute/virtualMachineScaleSets/read",
+    "Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read",
+    "Microsoft.Compute/virtualMachineScaleSets/skus/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/providers/Microsoft.Insights/metricDefinitions/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
+    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommands/read",
+    "Microsoft.Compute/virtualMachineScaleSets/vmSizes/read"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/aks-static-placement/vnet_role.json b/docs/book/src/topics/aks-static-placement/vnet_role.json
@@ -0,0 +1,14 @@
+{
+  "Name": "Static Placement AKS Cluster Deployer (vnet)",
+  "IsCustom": true,
+  "Description": "Can use CAPZ to deploy AKS clusters using static placement. This role contains the permissions that must be applied at the virtual network scope level.",
+  "Actions": [
+    "Microsoft.Network/virtualNetworks/read",
+    "Microsoft.Network/virtualNetworks/subnets/join/action",
+    "Microsoft.Network/virtualNetworks/subnets/read"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/iaas-dynamic-placement/rg_sub_role.json b/docs/book/src/topics/iaas-dynamic-placement/rg_sub_role.json
@@ -0,0 +1,82 @@
+{
+  "Name": "Dynamic Placement IaaS Cluster Deployer (rg/sub)",
+  "IsCustom": true,
+  "Description": "Can use to deploy IaaS clusters using dynamic placement. This role contains the permissions that must be applied at the resource group scope level. If deploying multiple clusters in a variety of resource groups within a subscription, apply the role with the subscription as scope instead of the resource group as scope.",
+  "Actions": [
+    "Microsoft.Compute/disks/delete",
+    "Microsoft.Compute/disks/read",
+    "Microsoft.Compute/disks/write",
+    "Microsoft.Compute/galleries/images/read",
+    "Microsoft.Compute/galleries/images/versions/read",
+    "Microsoft.Compute/galleries/images/versions/write",
+    "Microsoft.Compute/galleries/images/write",
+    "Microsoft.Compute/galleries/read",
+    "Microsoft.Compute/galleries/write",
+    "Microsoft.Compute/images/read",
+    "Microsoft.Compute/images/write",
+    "Microsoft.Compute/virtualMachines/delete",
+    "Microsoft.Compute/virtualMachines/extensions/delete",
+    "Microsoft.Compute/virtualMachines/extensions/read",
+    "Microsoft.Compute/virtualMachines/extensions/write",
+    "Microsoft.Compute/virtualMachines/read",
+    "Microsoft.Compute/virtualMachines/write",
+    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
+    "Microsoft.Network/loadBalancers/delete",
+    "Microsoft.Network/loadBalancers/inboundNatRules/delete",
+    "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
+    "Microsoft.Network/loadBalancers/inboundNatRules/read",
+    "Microsoft.Network/loadBalancers/inboundNatRules/write",
+    "Microsoft.Network/loadBalancers/read",
+    "Microsoft.Network/loadBalancers/write",
+    "Microsoft.Network/networkInterfaces/delete",
+    "Microsoft.Network/networkInterfaces/join/action",
+    "Microsoft.Network/networkInterfaces/read",
+    "Microsoft.Network/networkInterfaces/write",
+    "Microsoft.Network/networkSecurityGroups/read",
+    "Microsoft.Network/networkSecurityGroups/securityRules/delete",
+    "Microsoft.Network/networkSecurityGroups/securityRules/read",
+    "Microsoft.Network/networkSecurityGroups/securityRules/write",
+    "Microsoft.Network/privateDnsZones/A/delete",
+    "Microsoft.Network/privateDnsZones/A/read",
+    "Microsoft.Network/privateDnsZones/A/write",
+    "Microsoft.Network/privateDnsZones/delete",
+    "Microsoft.Network/privateDnsZones/read",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
+    "Microsoft.Network/privateDnsZones/write",
+    "Microsoft.Network/publicIPAddresses/delete",
+    "Microsoft.Network/publicIPAddresses/join/action",
+    "Microsoft.Network/publicIPAddresses/read",
+    "Microsoft.Network/publicIPAddresses/write",
+    "Microsoft.Network/routeTables/delete",
+    "Microsoft.Network/routeTables/read",
+    "Microsoft.Network/routeTables/write",
+    "Microsoft.Network/virtualNetworks/delete",
+    "Microsoft.Network/virtualNetworks/join/action",
+    "Microsoft.Network/virtualNetworks/join/action",
+    "Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
+    "Microsoft.Network/virtualNetworks/peer/action",
+    "Microsoft.Network/virtualNetworks/read",
+    "Microsoft.Network/virtualNetworks/subnets/delete",
+    "Microsoft.Network/virtualNetworks/subnets/join/action",
+    "Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action",
+    "Microsoft.Network/virtualNetworks/subnets/read",
+    "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
+    "Microsoft.Network/virtualNetworks/subnets/write",
+    "Microsoft.Network/virtualNetworks/virtualMachines/read",
+    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
+    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
+    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
+    "Microsoft.Network/virtualNetworks/write",
+    "Microsoft.Resources/subscriptions/resourceGroups/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+    "Microsoft.Storage/storageAccounts/read",
+    "Microsoft.Storage/storageAccounts/write"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/iaas-static-placement/rg_sub_role.json b/docs/book/src/topics/iaas-static-placement/rg_sub_role.json
@@ -0,0 +1,54 @@
+{
+  "Name": "Static Placement IaaS Cluster Deployer (rg/sub)",
+  "IsCustom": true,
+  "Description": "Can use CAPZ to deploy IaaS clusters using static placement. This role contains the permissions that must be applied at the resource group scope level. If deploying multiple clusters in a variety of resource groups within a subscription, apply the role with the subscription as scope instead of the resource group as scope.",
+  "Actions": [
+    "Microsoft.Compute/availabilitySets/delete",
+    "Microsoft.Compute/availabilitySets/read",
+    "Microsoft.Compute/availabilitySets/write",
+    "Microsoft.Compute/disks/delete",
+    "Microsoft.Compute/disks/read",
+    "Microsoft.Compute/disks/write",
+    "Microsoft.Compute/galleries/images/read",
+    "Microsoft.Compute/galleries/images/versions/read",
+    "Microsoft.Compute/galleries/images/versions/write",
+    "Microsoft.Compute/galleries/images/write",
+    "Microsoft.Compute/galleries/read",
+    "Microsoft.Compute/galleries/write",
+    "Microsoft.Compute/images/read",
+    "Microsoft.Compute/images/write",
+    "Microsoft.Compute/virtualMachines/delete",
+    "Microsoft.Compute/virtualMachines/extensions/delete",
+    "Microsoft.Compute/virtualMachines/extensions/read",
+    "Microsoft.Compute/virtualMachines/extensions/write",
+    "Microsoft.Compute/virtualMachines/read",
+    "Microsoft.Compute/virtualMachines/write",
+    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
+    "Microsoft.Network/loadBalancers/delete",
+    "Microsoft.Network/loadBalancers/inboundNatRules/delete",
+    "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
+    "Microsoft.Network/loadBalancers/inboundNatRules/read",
+    "Microsoft.Network/loadBalancers/inboundNatRules/write",
+    "Microsoft.Network/loadBalancers/read",
+    "Microsoft.Network/loadBalancers/write",
+    "Microsoft.Network/networkInterfaces/delete",
+    "Microsoft.Network/networkInterfaces/join/action",
+    "Microsoft.Network/networkInterfaces/read",
+    "Microsoft.Network/networkInterfaces/write",
+    "Microsoft.Network/publicIPAddresses/delete",
+    "Microsoft.Network/publicIPAddresses/join/action",
+    "Microsoft.Network/publicIPAddresses/read",
+    "Microsoft.Network/publicIPAddresses/write",
+    "Microsoft.Resources/subscriptions/resourceGroups/read",
+    "Microsoft.Resources/subscriptions/resourceGroups/write",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+    "Microsoft.Storage/storageAccounts/listKeys/action",
+    "Microsoft.Storage/storageAccounts/read",
+    "Microsoft.Storage/storageAccounts/write"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/iaas-static-placement/vnet_role.json b/docs/book/src/topics/iaas-static-placement/vnet_role.json
@@ -0,0 +1,36 @@
+{
+  "Name": "Static Placement IaaS Cluster Deployer (vnet)",
+  "IsCustom": true,
+  "Description": "Can use CAPZ to deploy IaaS clusters using static placement. This role contains the permissions that must be applied at the virtual network scope level.",
+  "Actions": [
+    "Microsoft.Network/networkSecurityGroups/read",
+    "Microsoft.Network/networkSecurityGroups/securityRules/read",
+    "Microsoft.Network/privateDnsZones/A/delete",
+    "Microsoft.Network/privateDnsZones/A/read",
+    "Microsoft.Network/privateDnsZones/A/write",
+    "Microsoft.Network/privateDnsZones/delete",
+    "Microsoft.Network/privateDnsZones/read",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
+    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
+    "Microsoft.Network/privateDnsZones/write",
+    "Microsoft.Network/routeTables/delete",
+    "Microsoft.Network/routeTables/join/action",
+    "Microsoft.Network/routeTables/read",
+    "Microsoft.Network/routeTables/write",
+    "Microsoft.Network/virtualNetworks/join/action",
+    "Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
+    "Microsoft.Network/virtualNetworks/peer/action",
+    "Microsoft.Network/virtualNetworks/read",
+    "Microsoft.Network/virtualNetworks/subnets/join/action",
+    "Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action",
+    "Microsoft.Network/virtualNetworks/subnets/read",
+    "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
+    "Microsoft.Network/virtualNetworks/virtualMachines/read",
+    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/$SUBSCRIPTION_ID"
+  ]
+}
diff --git a/docs/book/src/topics/permissions.md b/docs/book/src/topics/permissions.md
@@ -0,0 +1,41 @@
+# Azure RBAC Permissions
+
+## AKS Cluster
+
+### Dynamically Provisioned
+``` json
+{{#include ./aks-dynamic-placement/rg_sub_role.json}}
+```
+
+``` json
+{{#include ./aks-dynamic-placement/sub_role.json}}
+```
+
+### Statically Provisioned
+``` json
+{{#include ./aks-static-placement/rg_sub_role.json}}
+```
+
+``` json
+{{#include ./aks-static-placement/sub_role.json}}
+```
+
+``` json
+{{#include ./aks-static-placement/vnet_role.json}}
+```
+
+## IaaS Cluster
+
+### Dynamically Provisioned
+``` json
+{{#include ./iaas-dynamic-placement/rg_sub_role.json}}
+```
+
+### Statically Provisioned
+``` json
+{{#include ./iaas-static-placement/rg_sub_role.json}}
+```
+
+``` json
+{{#include ./iaas-static-placement/vnet_role.json}}
+```