# Azure Role Deployment and Permissions
## Role Permissions
Pump only requests billing-level access in Azure, allowing customers to retain full administrative control over their Azure subscriptions and services.
Pump operates through 2 types of roles: Read-only and Auto-pilot.
#### Read Only Role
This role is used during the initial [onboarding step (Step 1)](https://help.pump.co/getting-started/step-1-view-estimate). It requires read-only permissions to access up to one year of historical billing and usage data via Azure Cost Management and Consumption APIs. This includes visibility into your resource groups, reservation coverage, and infrastructure metadata (e.g., whether your workloads are already utilizing savings plans).
Pump's optimization engine uses this data to calculate ideal savings opportunities. Once onboarding is complete, the read-only role continues to be used to display costs and savings within the Pump dashboard.
[Read-only Role JSON](https://pump-public-readonly.s3.us-west-2.amazonaws.com/azure-autopilot.json)
```plaintext
{
"properties": {
"roleName": "Pump Autopilot Role",
"description": "Custom role for Pump to manage costs",
"assignableScopes": [
"/subscriptions/"
],
"permissions": [
{
"actions": [
"Microsoft.BillingBenefits/savingsPlanOrders/read",
"Microsoft.BillingBenefits/savingsPlanOrders/action",
"Microsoft.BillingBenefits/savingsPlanOrders/write",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
"Microsoft.BillingBenefits/savingsPlanOrders/*/action",
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Billing/*/read",
"Microsoft.Billing/billingProperty/read",
"Microsoft.Consumption/*",
"Microsoft.CostManagement/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
```
#### Auto-pilot Role
The Autopilot role builds on the Read-only role, with additional permissions to manage billing commitments like Reserved Instances and Savings Plans. This role is required after the [final onboarding step](https://help.pump.co/aws-joining-pump/how-to-join-pump-3-easy-steps/step-1-view-estimate).
Pump's AI models use this role to:
\- Read service usage metadata (like VM and capacity data)
\- Purchase and manage savings plans on your behalf
\- Maintain visibility over usage patterns to ensure continuous optimization
Important: Pump never collects application-level data or user data-only metadata related to service usage.
[Auto-pilot Role JSON](https://pump-public-readonly.s3.us-west-2.amazonaws.com/azure-autopilot.sh)
```plaintext
# Check if required parameters are provided
if [ $# -lt 2 ]; then
echo "Usage: $0 "
echo "Example: $0 4d89996e-150a-464a-845e-e5ef5f190784 93d2af31-a8b3-4cef-86db-b762aa337c22"
exit 1
fi
# Set variables from parameters
SUBSCRIPTION_ID="$1"
SERVICE_PRINCIPAL_ID="$2"
ROLE_NAME="Pump Autopilot Role"
echo "Using Subscription ID: $SUBSCRIPTION_ID"
echo "Using Service Principal ID: $SERVICE_PRINCIPAL_ID"
# Check if the role already exists
EXISTING_ROLE=$(az role definition list --name "$ROLE_NAME" --query "[].name" -o tsv)
if [ -n "$EXISTING_ROLE" ]; then
echo "Role '$ROLE_NAME' already exists. Skipping creation."
else
# Create the custom role definition
echo "Creating custom role definition..."
az role definition create --role-definition '{
"Name": "'"$ROLE_NAME"'",
"Description": "Custom role for Pump to manage costs",
"AssignableScopes": [
"/subscriptions/'"$SUBSCRIPTION_ID"'"
],
"Actions": [
"Microsoft.BillingBenefits/savingsPlanOrders/read",
"Microsoft.BillingBenefits/savingsPlanOrders/action",
"Microsoft.BillingBenefits/savingsPlanOrders/write",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
"Microsoft.BillingBenefits/savingsPlanOrders/*/action",
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Billing/*/read",
"Microsoft.Billing/billingProperty/read",
"Microsoft.Consumption/*",
"Microsoft.CostManagement/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}'
# Check if role creation was successful
if [ $? -ne 0 ]; then
echo "Error: Failed to create custom role definition."
exit 1
fi
sleep 2
fi
# Assign the custom role to the service principal
echo "Assigning custom role to service principal..."
az role assignment create --assignee "$SERVICE_PRINCIPAL_ID" --role "$ROLE_NAME" --scope "/subscriptions/$SUBSCRIPTION_ID"
echo "Success: Role creation and assignment complete!"
```
## Role Deployment
If the Pump role is accidentally deleted or needs to be updated:
1\. Log in to the Pump platform.
2\. Navigate to: Settings > Integrations
3\. Click the three-dot menu next to your Azure subscription.
4\. Select the role type (Read-only or Autopilot) and redeploy using the script provided.
## Terraform Support
If your infrastructure is Terraform-based and CLI execution is not suitable, Pump also supports Terraform-based deployments. Please contact for more information.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.pump.co/azure-joining-pump/azure-role-deployment-and-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.