Required Permissions and Custom Roles For Azure Chaos Faults
A reference guide for the minimum Azure role permissions required by each chaos faults and a superset role covering all.
Superset Role for All Azure Faults
Required Azure RBAC Permissions
This superset combines all permissions required for Disk Loss, Instance Stop, Web App operations, and Azure Stress faults.
{
"Name": "Harness Chaos Engineering - Azure Superset Role",
"IsCustom": true,
"Description": "Superset role combining all Azure permissions required for supported chaos faults.",
"Actions": [
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/powerOff/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/start/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read",
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/config/list/action",
"Microsoft.Web/sites/config/write",
"Microsoft.Web/sites/state/action",
"Microsoft.Web/sites/stop/action",
"Microsoft.Web/sites/start/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Disk Loss
Required Azure RBAC Permissions
| Azure RBAC Permission | Action Description |
|---|---|
| Microsoft.Compute/disks/read | Read managed disk metadata Get disk attachment status |
| Microsoft.Compute/virtualMachines/read | Read VM/VMSS instance properties |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Read VM/VMSS instance properties |
| Microsoft.Compute/virtualMachines/write | Modify VM data disk attachments |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Modify VMSS VM data disk attachments |
Sample Custom Role
{
"Name": "Harness Chaos Engineering - Azure Disk Loss",
"IsCustom": true,
"Description": "Allows detaching and reattaching managed disks to VM/VMSS instances.",
"Actions": [
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Instance Stop
Required Azure RBAC Permissions
| Azure RBAC Permission | Action Description |
|---|---|
| Microsoft.Compute/virtualMachines/read | Read VM metadata |
| Microsoft.Compute/virtualMachines/powerOff/action | Power off standalone VM |
| Microsoft.Compute/virtualMachines/start/action | Start standalone VM |
| Microsoft.Compute/virtualMachines/instanceView/read | Get instance status |
| Microsoft.Compute/virtualMachineScaleSets/virtualmachines/read | Read VMSS instance metadata |
| Microsoft.Compute/virtualMachineScaleSets/virtualmachines/powerOff/action | Power off VMSS instance |
| Microsoft.Compute/virtualMachineScaleSets/virtualmachines/start/action | Start VMSS instance |
| Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read | Get VMSS instance status |
Sample Custom Role
{
"Name": "Harness Chaos Engineering - Azure Instance Stop",
"IsCustom": true,
"Description": "Allows stopping and starting VMs and scale set VMs.",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/powerOff/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/start/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Web App Access Restriction
Required Azure RBAC Permissions
| Azure RBAC Permission | Action Description |
|---|---|
| Microsoft.Web/sites/read | List all Web Apps |
| Microsoft.Web/sites/config/list/action | Get Web App Config |
| Microsoft.Web/sites/config/write | Update Web App Config |
| Microsoft.Web/sites/state/action | Get Web App Status |
Sample Custom Role
{
"Name": "Harness Chaos Engineering - Web App Access Restriction",
"IsCustom": true,
"Description": "Allows reading and modifying Web App access restriction rules.",
"Actions": [
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/config/list/action",
"Microsoft.Web/sites/config/write",
"Microsoft.Web/sites/state/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Web App Stop
Required Azure RBAC Permissions
| Azure RBAC Permission | Action Description |
|---|---|
| Microsoft.Web/sites/read | Read app metadata |
| Microsoft.Web/sites/stop/action | Stop the app |
| Microsoft.Web/sites/start/action | Start the app |
| Microsoft.Web/sites/state/action | Get app state |
Sample Custom Role
{
"Name": "Harness Chaos Engineering - Web App Stop",
"IsCustom": true,
"Description": "Allows stopping and starting Azure Web Apps.",
"Actions": [
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/stop/action",
"Microsoft.Web/sites/start/action",
"Microsoft.Web/sites/state/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Azure Stress (CPU & Memory)
Required Azure RBAC Permissions
| Azure RBAC Permission | Action Description |
|---|---|
| Microsoft.Compute/virtualMachines/runCommand/action | Execute scripts on VMs using Run Command |
| Microsoft.Compute/virtualMachines/read | Read VM instance details |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read | Read the status of VMSS instances |
| Microsoft.Resources/subscriptions/resourceGroups/read | Read resource group metadata |
Sample Custom Role
{
"Name": "Harness Chaos Engineering - Azure Stress",
"IsCustom": true,
"Description": "Minimal custom role for executing stress chaos fault on Azure VMs and VMSS",
"Actions": [
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}
Note: Replace <your-subscription-id> with your actual Azure subscription ID.