Page Comparison

This section lists the permissions required for supporting scaling of individual functionality (i.e. increase or decrease of nodes and disk). By default, these permissions don’t exist in the created role if the role is not created by enabling scaling permissions (scaling aware manner). Thus in each such environment where scaling is not enabled (either for complete scaling or for specific scaling functionality) at any time earlier than before the need to use that functionality, the role must include the permissions required for using that functionality.

Panel

panelIconId	atlassian-note
panelIcon	:note:
bgColor	#DEEBFF

Note

The role permissions may not update instantly. Changes may take 2-5 minutes to sync and apply.
For Azure, only :
- If the Resource Group of the Virtual Network is other than Kyvos, you must add custom roles with
required permission are needed if the
- the required permissions, as mentioned below in the (Scaling Permissions) table. If Virtual Network is in
a different Resources Group (except Kyvos Resource Group). No
- the same Resource Group as Kyvos, no additional permission is required for scaling nodes as Azure Managed Identity has Contributor access rights
on
- to all resources of the given Resource Group.
For Azure Enterprise, create a custom role with the required permissions.
- While creating a custom role, add the Resource IDs for the following services in the assignable scope:
  - Application Gateway
  - Virtual Network
  - Network Security Group
- Once the custom role is created, it must be assigned to each of the above-listed services.
- No permission is required for Query Engine disk scaling.

Scaling Permissions

Functionality	AWS (IAM Role)	AZURE	GCP
Increase Node	ec2:GetLaunchTemplateData ec2:CreateLaunchTemplate ec2:RunInstances	Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkInterfaces/write Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/networkSecurityGroups/join/action NOTE: Applicable only when Virtual Network is in another Resource Group.	compute.subnetworks.use (applicable for Marketplace only when shared VPC is used) compute.instances.create compute.disks.create compute.disks.use compute.instances.setServiceAccount compute.instances.use
Decrease Node	ec2:DeleteLaunchTemplate ec2:TerminateInstances	Microsoft.Network/applicationGateways/write (applicable only for Web Portal) Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkInterfaces/write Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/networkSecurityGroups/join/action NOTE: Applicable only when Virtual Network is in another Resource Group.	compute.subnetworks.use (applicable for Marketplace only) compute.instances.delete compute.instances.detachDisk compute.disks.delete
Query Engine Increase Disk	ec2:CreateVolume ec2:AttachVolume ec2:ModifyInstanceAttribute ec2:DescribeVolumes	Contributor Access	compute.instances.get compute.disks.create compute.instances.attachDisk compute.disks.use compute.disks.setLabels
Query Engine Decrease Disk	ec2:DetachVolume ec2:DeleteVolume	Contributor Access	compute.instances.detachDisk compute.disks.delete
Load Balancer Entry Addition	TargetGroup elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:RegisterTargets	Microsoft.Network/applicationGateways/write (applicable only for Web Portal)	Instance Group compute.instanceGroups.get compute.instanceGroups.update
Load Balancer Entry Deletion	Target Group elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DeregisterTargets	Microsoft.Network/applicationGateways/write (applicable only for Web Portal)	Instance Group compute.instanceGroups.get compute.instanceGroups.update
Health Check	Target Group Health Check Probe elasticloadbalancing:ModifyTargetGroup	Contributor Access	Instance Group Health Check compute.instanceGroups.get compute.instanceGroups.update

...

Versions Compared

Old Version 3

New Version Current

Key