Azure Role Deployment and Permissions

Role Permissions

Pump only requests billing-level access in Azure, allowing customers to retain full administrative control over their Azure subscriptions and services.

Pump operates through 2 types of roles: Read-only and Auto-pilot.

Read Only Role

This role is used during the initial onboarding step (Step 1). It requires read-only permissions to access up to one year of historical billing and usage data via Azure Cost Management and Consumption APIs. This includes visibility into your resource groups, reservation coverage, and infrastructure metadata (e.g., whether your workloads are already utilizing savings plans).

Pump's optimization engine uses this data to calculate ideal savings opportunities. Once onboarding is complete, the read-only role continues to be used to display costs and savings within the Pump dashboard.

Read-only Role JSON

{
  "properties": {
    "roleName": "Pump Autopilot Role",
    "description": "Custom role for Pump to manage costs",
    "assignableScopes": [
      "/subscriptions/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.BillingBenefits/savingsPlanOrders/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/action",
          "Microsoft.BillingBenefits/savingsPlanOrders/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/*/action",
          "Microsoft.Capacity/*/read",
          "Microsoft.Capacity/*/action",
          "Microsoft.Capacity/*/write",
          "Microsoft.Billing/*/read",
          "Microsoft.Billing/billingProperty/read",
          "Microsoft.Consumption/*",
          "Microsoft.CostManagement/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Auto-pilot Role

The Autopilot role builds on the Read-only role, with additional permissions to manage billing commitments like Reserved Instances and Savings Plans. This role is required after the final onboarding step.

Pump's AI models use this role to:

- Read service usage metadata (like VM and capacity data)

- Purchase and manage savings plans on your behalf

- Maintain visibility over usage patterns to ensure continuous optimization

Important: Pump never collects application-level data or user data-only metadata related to service usage.

Auto-pilot Role JSON

Role Deployment

If the Pump role is accidentally deleted or needs to be updated:

1. Log in to the Pump platform.

2. Navigate to: Settings > Integrations

3. Click the three-dot menu next to your Azure subscription.

4. Select the role type (Read-only or Autopilot) and redeploy using the script provided.

Terraform Support

If your infrastructure is Terraform-based and CLI execution is not suitable, Pump also supports Terraform-based deployments. Please contact [email protected] for more information.