Creating a Storage Role
Follow these steps to create a custom storage role in the Azure portal when you are connecting your Azure account to Dremio Cloud or adding a project to an organization.
Dremio recommends using Azure's built-in Avere Contributor role. If you would like to create a custom role instead, the minimum permissions for the storage role are detailed below.
Log in to the Azure portal.
Search for "Resource groups" and select the Resource groups service in the search results.
Select the Resource group name that will be used for Dremio Cloud.
Click Access control (IAM) in the top left.
Click Add at the top and select Add custom role.
Click JSON.
Enter the following JSON, replacing subscription with your subscription ID and customer-provided-resource-group with your resource group created for Dremio.
{
"properties": {
"name": "Dremio Cloud Storage Role",
"description": "Dremio Cloud Storage Role for Accessing Azure Storage",
"assignableScopes": [
"/subscriptions/<subscription>/resourceGroups/<customer-provided-resource-group>"
],
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/blobServices/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
],
"notDataActions": []
}
}Click Next.
Click Create.
Azure CLI
The storage role can also be created through the Azure CLI.
First, you will need to create and save the storage role locally as a JSON file. See the following minimum definition of this role:
{
"name": "Dremio Cloud Compute Role",
"isCustom": true,
"description": "Dremio Cloud Storage Role for Accessing Azure Storage",
"assignableScopes": [
"/subscriptions/<subscription>/resourceGroups/<customer-provided-resource-group>"
],
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/blobServices/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
],
"notDataActions": []
}
Then execute the following command in the Azure CLI:
az role definition create --role-definition <PATH_TO>/dcstorage.json