Skip to main content

Creating a Compute Role

Follow these steps to create a custom compute role in the Azure portal when you are connecting your Azure account to Dremio Cloud or adding a project to an organization.

note

Dremio recommends using Azure's built-in roles: Virtual Machine Contributor and Avere Contributor. If you would like to create a custom role instead, the minimum permissions for the compute role are detailed below.

  1. Log in to the Azure portal.

  2. Search for "Resource groups" and select the Resource groups service in the search results.

  3. Select the resource group name that will be used for Dremio Cloud.

  4. Click Access control (IAM) in the top left.

  5. Click Add at the top and select Add custom role.

  6. Click JSON.

  7. Enter the following JSON, replacing subscription with your subscription ID and customer-provided-resource-group with your resource group created for Dremio.

    {
      "properties": {
         "name": "Dremio Cloud Compute Role",
         "description": "Dremio Cloud Compute Role for Running Dremio Engines",
         "assignableScopes": [
               "/subscriptions/<subscription>/resourceGroups/<customer-provided-resource-group>"
             ],
          "actions": [
              "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
              "Microsoft.Compute/virtualMachineScaleSets/delete",
              "Microsoft.Compute/virtualMachineScaleSets/write",
              "Microsoft.Compute/virtualMachineScaleSets/read",
              "Microsoft.Compute/virtualMachineScaleSets/skus/read",
              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/deallocate/action",
              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
              "Microsoft.Compute/disks/write",
              "Microsoft.Compute/disks/read",
              "Microsoft.Compute/disks/delete",
              "Microsoft.Compute/proximityPlacementGroups/write",
              "Microsoft.Compute/proximityPlacementGroups/read",
              "Microsoft.Compute/proximityPlacementGroups/delete",
              "Microsoft.Compute/galleries/read",
              "Microsoft.Compute/galleries/images/read",
              "Microsoft.Compute/galleries/images/versions/read",
              "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
              "Microsoft.Network/networkInterfaces/join/action",
              "Microsoft.Network/networkSecurityGroups/join/action",
              "Microsoft.Network/networkSecurityGroups/read",
              "Microsoft.Network/virtualNetworks/read",
              "Microsoft.Network/virtualNetworks/subnets/join/action",
              "Microsoft.Network/privateEndpoints/read",
              "Microsoft.Resources/subscriptions/resourceGroups/read",
              "Microsoft.SerialConsole/serialPorts/connect/action"
              ],
          "notActions": [],
          "dataActions": [],
          "notDataActions": []
      }
    }

  8. Click Next.

  9. Click Create.

Azure CLI

The compute role can also be created through the Azure CLI.

First, you will need to create and save the compute role locally as a JSON file. See the following minimum definition of this role:

dccompute.json
{
  "name": "Dremio Cloud Compute Role",
  "isCustom": true,
  "description": "Dremio Cloud Compute Role for Running Dremio Engines",
  "assignableScopes": [
        "/subscriptions/<subscription>/resourceGroups/<customer-provided-resource-group>"
        ],
  "actions": [
      "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
      "Microsoft.Compute/virtualMachineScaleSets/delete",
      "Microsoft.Compute/virtualMachineScaleSets/write",
      "Microsoft.Compute/virtualMachineScaleSets/read",
      "Microsoft.Compute/virtualMachineScaleSets/skus/read",
      "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
      "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/deallocate/action",
      "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
      "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
      "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
      "Microsoft.Compute/disks/write",
      "Microsoft.Compute/disks/read",
      "Microsoft.Compute/disks/delete",
      "Microsoft.Compute/proximityPlacementGroups/write",
      "Microsoft.Compute/proximityPlacementGroups/read",
      "Microsoft.Compute/proximityPlacementGroups/delete",
      "Microsoft.Compute/galleries/read",
      "Microsoft.Compute/galleries/images/read",
      "Microsoft.Compute/galleries/images/versions/read",
      "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
      "Microsoft.Network/networkInterfaces/join/action",
      "Microsoft.Network/networkSecurityGroups/join/action",
      "Microsoft.Network/networkSecurityGroups/read",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/join/action",
      "Microsoft.Network/privateEndpoints/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.SerialConsole/serialPorts/connect/action"
  ],
  "notActions": [],
  "dataActions": [],
  "notDataActions": []
}

Then execute the following command in the Azure CLI:

az role definition create --role-definition <PATH_TO>/dccompute.json