Note
Ensure that role permissions may not update instantly. Changes may take 2-5 minutes to sync and apply.
For Azure, only custom roles with required permission are needed if Virtual Network is in different Resources Group (except Kyvos Resource Group). Ensure that there is no additional permission required for scaling nodes as Azure Managed Identity has Contributor access rights on all resources of the given Resource Group.
For Azure Enterprise, create a custom role with the required permissions. While creating a custom role, add the Resource IDs for the following services in the assignable scope:
Application Gateway
Virtual Network
Network Security Group
Once the custom role is created, it must be assigned to each of the above listed services.
Scaling Permissions
Functionality | AWS (IAM Role) | AZURE | GCP |
Increase Node | ec2:GetLaunchTemplateData |
NOTE: Applicable only when Virtual Network is in another Resource Group. | compute.subnetworks.use compute.instances.create |
Decrease Node | ec2:DeleteLaunchTemplate |
NOTE: Applicable only when Virtual Network is in another Resource Group. | compute.subnetworks.use compute.instances.delete |
Increase Disk | ec2:CreateVolume | Contributor Access | compute.disks.create |
Decrease Disk | ec2:DetachVolume | Contributor Access | compute.instances.detachDisk |
Load Balancer Entry Addition | TargetGroup elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:RegisterTargets | Microsoft.Network/applicationGateways/write | Instance Group compute.instanceGroups.get |
Load Balancer Entry Deletion | Target Group elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DeregisterTargets | Microsoft.Network/applicationGateways/write (applicable only for Web Portal) | Instance Group compute.instanceGroups.get |
Health Check | Target Group Health Check Probe elasticloadbalancing:ModifyTargetGroup | Contributor Access | Instance Group Health Check compute.instanceGroups.get |
Read Also: