Last active
June 14, 2023 12:53
-
-
Save JustinGrote/6cce03cf978d580e5cb33588735a1a5f to your computer and use it in GitHub Desktop.
Create Veeam Backup Role for Veeam Service Account (w/ latest fix for gallery)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -module Az.Resources | |
function New-AzVeeamBackupRole { | |
<# | |
.SYNOPSIS | |
Creates a role for the Veeam Backup Service Account with minimum required permissions. | |
.EXAMPLE | |
New-AzVeeamBackupRole -Whatif | |
What if: Performing the operation "Creating Veeam Backup Role Veeam Backup Service Account (https://www.veeam.com/kb3154)" on target "<Subscription>". | |
#> | |
[CmdletBinding(SupportsShouldProcess)] | |
param( | |
#Name of the role as displayed in Azure. Default is 'Veeam Backup Service Account' | |
[String]$Name = 'Veeam Backup Service Account', | |
#Description of the role. | |
[String]$Description = 'https://www.veeam.com/kb3154', | |
#Which subscription(s) to scope this role to. Default is your current context | |
[string[]]$Subscription = (Get-AzContext).Subscription, | |
#Which actions to allow. You should not specify this unless strictly required. | |
[Collections.Generic.List[string]]$AllowedActions = @( | |
"Microsoft.Compute/snapshots/delete", | |
"Microsoft.Compute/snapshots/write", | |
"Microsoft.Compute/snapshots/read", | |
"Microsoft.Compute/virtualMachines/read", | |
"Microsoft.Compute/virtualMachines/write", | |
"Microsoft.Compute/virtualMachines/delete", | |
"Microsoft.Compute/disks/read", | |
"Microsoft.Compute/disks/delete", | |
"Microsoft.Compute/disks/write", | |
"Microsoft.Resources/subscriptions/resourceGroups/read", | |
"Microsoft.Resources/subscriptions/resourceGroups/write", | |
"Microsoft.Resources/subscriptions/resourceGroups/delete", | |
"Microsoft.Storage/storageAccounts/write", | |
"Microsoft.Storage/storageAccounts/read", | |
"Microsoft.Storage/storageAccounts/delete", | |
"Microsoft.Compute/galleries/share/action" | |
) | |
) | |
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new() | |
$role.Name = $Name | |
$role.Description = $Description | |
$role.Actions = $AllowedActions | |
[Collections.Generic.List[String]]$Subscription = $Subscription.foreach{ | |
"/subscriptions/$PSItem" | |
} | |
$role.AssignableScopes = $Subscription | |
if ($PSCmdlet.ShouldProcess(($Subscription -join ','),"Creating Veeam Backup Role $Name ($Description)")) { | |
New-AzRoleDefinition -Role $role | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment