Pump
Back to Home
  • Getting Started
    • Introduction
    • The Hitchhiker's Guide to Pump
    • Joining Pump
      • Our Features
      • Running your Savings Estimate
      • Selecting a mode (Autopilot or Manual Mode)
      • Savings Survey
      • When can I expect to see Savings?
      • Money Back Guarantee
    • Billing Info
      • Billing Process
      • First Month Billing
      • Currencies Supported
      • Supported Payment Methods
      • Invoice Verification or Errors
      • Invoices for Indian Customers
      • Invoices from AWS
      • Sales Tax or Value Added Tax (VAT)
    • How Pump works
    • Real Customers, Real Success Stories
    • Money Back Guarantee
    • FAQ
  • AWS: Joining Pump
    • How to Join Pump (3 easy steps)
      • Step 1 - View Estimate
      • Step 2 - Authorize Pump
      • Step 3 - Know your business
      • Finishing Touches
        • Inviting your team
        • Adding additional AWS accounts
        • Post onboarding
        • AWS Seller Registration
        • Sign up for Auto Pay
    • AWS Multi-account architecture
      • via 'Join Account(s)'
      • via 'Join With A Pre-Existing Org(s)'
      • Join via CTA
      • How Pump handles SSO
      • Leave an AWS Organization
    • AWS Role Deployment and Permissions
  • Maximizing Pump with AWS
    • Using Pump
      • Savings Summary
      • Past Savings
      • Reserved Instances
      • Savings Plans
      • Group buying discounts
      • Payments
      • Sales or Value added tax (VAT)
      • Credit FAQ
    • AWS Discount Prices
    • Pump Secure
    • AWS Credits FAQ
  • GCP: Joining Pump
    • Getting Started with GCP
      • Step 1 - View Savings Estimate
      • Step 2 - Authorize Pump
  • Azure: Joining Pump
    • Azure Role Deployment and Permissions
  • Pump University
    • Welcome to Pump University
  • Support
    • Fast & Free Support
    • Security & Access
      • Cross Account Role
      • Role Deployment
      • Access Management
      • Other Housekeeping
    • Invoices from AWS
    • Invoices from GCP
    • Request a Demo
    • Security Standards
    • Changing Infrastructure while on Pump
Powered by GitBook
On this page
  • Role Permissions
  • Role Deployment
  • Terraform Support
  1. Azure: Joining Pump

Azure Role Deployment and Permissions

PreviousStep 2 - Authorize PumpNextWelcome to Pump University

Last updated 4 days ago

Role Permissions

Pump only requests billing-level access in Azure, allowing customers to retain full administrative control over their Azure subscriptions and services.

Pump operates through 2 types of roles: Read-only and Auto-pilot.

Read Only Role

This role is used during the initial . It requires read-only permissions to access up to one year of historical billing and usage data via Azure Cost Management and Consumption APIs. This includes visibility into your resource groups, reservation coverage, and infrastructure metadata (e.g., whether your workloads are already utilizing savings plans).

Pump's optimization engine uses this data to calculate ideal savings opportunities. Once onboarding is complete, the read-only role continues to be used to display costs and savings within the Pump dashboard.

{
  "properties": {
    "roleName": "Pump Autopilot Role",
    "description": "Custom role for Pump to manage costs",
    "assignableScopes": [
      "/subscriptions/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.BillingBenefits/savingsPlanOrders/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/action",
          "Microsoft.BillingBenefits/savingsPlanOrders/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/*/action",
          "Microsoft.Capacity/*/read",
          "Microsoft.Capacity/*/action",
          "Microsoft.Capacity/*/write",
          "Microsoft.Billing/*/read",
          "Microsoft.Billing/billingProperty/read",
          "Microsoft.Consumption/*",
          "Microsoft.CostManagement/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Auto-pilot Role

Pump's AI models use this role to:

- Read service usage metadata (like VM and capacity data)

- Purchase and manage savings plans on your behalf

- Maintain visibility over usage patterns to ensure continuous optimization

Important: Pump never collects application-level data or user data-only metadata related to service usage.

# Check if required parameters are provided
if [ $# -lt 2 ]; then
    echo "Usage: $0 <subscription_id> <service_principal_id>"
    echo "Example: $0 4d89996e-150a-464a-845e-e5ef5f190784 93d2af31-a8b3-4cef-86db-b762aa337c22"
    exit 1
fi

# Set variables from parameters
SUBSCRIPTION_ID="$1"
SERVICE_PRINCIPAL_ID="$2"
ROLE_NAME="Pump Autopilot Role"

echo "Using Subscription ID: $SUBSCRIPTION_ID"
echo "Using Service Principal ID: $SERVICE_PRINCIPAL_ID"

# Check if the role already exists
EXISTING_ROLE=$(az role definition list --name "$ROLE_NAME" --query "[].name" -o tsv)
if [ -n "$EXISTING_ROLE" ]; then
    echo "Role '$ROLE_NAME' already exists. Skipping creation."
else
    # Create the custom role definition
    echo "Creating custom role definition..."
    az role definition create --role-definition '{
      "Name": "'"$ROLE_NAME"'",
      "Description": "Custom role for Pump to manage costs",
      "AssignableScopes": [
        "/subscriptions/'"$SUBSCRIPTION_ID"'"
      ],
      "Actions": [
        "Microsoft.BillingBenefits/savingsPlanOrders/read",
        "Microsoft.BillingBenefits/savingsPlanOrders/action",
        "Microsoft.BillingBenefits/savingsPlanOrders/write",
        "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
        "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
        "Microsoft.BillingBenefits/savingsPlanOrders/*/action",
        "Microsoft.Capacity/*/read",
        "Microsoft.Capacity/*/action",
        "Microsoft.Capacity/*/write",
        "Microsoft.Billing/*/read",
        "Microsoft.Billing/billingProperty/read",
        "Microsoft.Consumption/*",
        "Microsoft.CostManagement/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": []
    }'

    # Check if role creation was successful
    if [ $? -ne 0 ]; then
        echo "Error: Failed to create custom role definition."
        exit 1
    fi

    sleep 2
fi

# Assign the custom role to the service principal
echo "Assigning custom role to service principal..."
az role assignment create --assignee "$SERVICE_PRINCIPAL_ID" --role "$ROLE_NAME" --scope "/subscriptions/$SUBSCRIPTION_ID"

echo "Success: Role creation and assignment complete!"

Role Deployment

If the Pump role is accidentally deleted or needs to be updated:

1. Log in to the Pump platform.

2. Navigate to: Settings > Integrations

3. Click the three-dot menu next to your Azure subscription.

4. Select the role type (Read-only or Autopilot) and redeploy using the script provided.

Terraform Support

If your infrastructure is Terraform-based and CLI execution is not suitable, Pump also supports Terraform-based deployments. Please contact support@pump.co for more information.

The Autopilot role builds on the Read-only role, with additional permissions to manage billing commitments like Reserved Instances and Savings Plans. This role is required after the .

onboarding step (Step 1)
Read-only Role JSON
final onboarding step
Auto-pilot Role JSON