Azure RBAC Policy

The RBAC roles required for NightOps to manage your Azure resources.

Service Principal Setup

NightOps uses a service principal to access your Azure resources. You can create one using the Azure CLI or Azure Portal.

Step 1: Create a Service Principal

Create a new service principal for NightOps:

az ad sp create-for-rbac \
  --name "NightOps" \
  --role "Contributor" \
  --scopes /subscriptions/SUBSCRIPTION_ID

Save the output—you'll need the appId, password, and tenant values.

Step 2: Create a Custom Role (Recommended)

For least-privilege access, create a custom role instead of using Contributor:

{
  "Name": "NightOps Resource Manager",
  "Description": "Allows NightOps to manage compute resources",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachineScaleSets/read",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/pause/action",
    "Microsoft.Sql/servers/databases/resume/action",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.ContainerService/managedClusters/agentPools/read",
    "Microsoft.ContainerService/managedClusters/agentPools/write",
    "Microsoft.Web/sites/read",
    "Microsoft.Web/sites/start/action",
    "Microsoft.Web/sites/stop/action",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/SUBSCRIPTION_ID"
  ]
}

Create the custom role:

az role definition create --role-definition nightops-role.json

Step 3: Assign the Custom Role

Assign the custom role to the service principal:

az role assignment create \
  --assignee APP_ID \
  --role "NightOps Resource Manager" \
  --scope /subscriptions/SUBSCRIPTION_ID

Step 4: Add to NightOps

In the NightOps dashboard, go to Settings → Cloud Providers → Add Azure Subscription and enter:

• Tenant ID: Your Azure AD tenant ID
• Subscription ID: The subscription to manage
• Client ID: The service principal's appId
• Client Secret: The service principal's password

Minimal Permissions by Service

If you only need to manage specific services, here are the minimal permissions:

Virtual Machines Only

"Actions": [
  "Microsoft.Compute/virtualMachines/read",
  "Microsoft.Compute/virtualMachines/start/action",
  "Microsoft.Compute/virtualMachines/deallocate/action"
]

AKS Only

"Actions": [
  "Microsoft.ContainerService/managedClusters/read",
  "Microsoft.ContainerService/managedClusters/agentPools/read",
  "Microsoft.ContainerService/managedClusters/agentPools/write"
]

Azure SQL Only

"Actions": [
  "Microsoft.Sql/servers/databases/read",
  "Microsoft.Sql/servers/databases/pause/action",
  "Microsoft.Sql/servers/databases/resume/action"
]

Using Managed Identity (Recommended for Azure-hosted)

If you're running NightOps on Azure (e.g., in AKS or App Service), you can use Managed Identity instead of a service principal for enhanced security:

# Assign the custom role to a managed identity
az role assignment create \
  --assignee-object-id MANAGED_IDENTITY_OBJECT_ID \
  --assignee-principal-type ServicePrincipal \
  --role "NightOps Resource Manager" \
  --scope /subscriptions/SUBSCRIPTION_ID

Security Considerations

• Use a custom role with minimal permissions instead of built-in Contributor
• Consider using Managed Identity when running on Azure to avoid credentials
• Scope the service principal to specific resource groups if possible
• Enable Azure AD audit logs to track NightOps operations
• Rotate service principal secrets regularly