Azure Role Deployment and Permissions

Role Permissions

Pump only requests billing-level access in Azure, allowing customers to retain full administrative control over their Azure subscriptions and services.

Pump operates through 2 types of roles: Read-only and Auto-pilot.

Read Only Role

This role is used during the initial onboarding step (Step 1). It requires read-only permissions to access up to one year of historical billing and usage data via Azure Cost Management and Consumption APIs. This includes visibility into your resource groups, reservation coverage, and infrastructure metadata (e.g., whether your workloads are already utilizing savings plans).

Pump's optimization engine uses this data to calculate ideal savings opportunities. Once onboarding is complete, the read-only role continues to be used to display costs and savings within the Pump dashboard.

Read-only Role JSON

{
  "properties": {
    "roleName": "Pump Autopilot Role",
    "description": "Custom role for Pump to manage costs",
    "assignableScopes": [
      "/subscriptions/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.BillingBenefits/savingsPlanOrders/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/action",
          "Microsoft.BillingBenefits/savingsPlanOrders/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
          "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
          "Microsoft.BillingBenefits/savingsPlanOrders/*/action",
          "Microsoft.Capacity/*/read",
          "Microsoft.Capacity/*/action",
          "Microsoft.Capacity/*/write",
          "Microsoft.Billing/*/read",
          "Microsoft.Billing/billingProperty/read",
          "Microsoft.Consumption/*",
          "Microsoft.CostManagement/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Auto-pilot Role

The Autopilot role builds on the Read-only role, with additional permissions to manage billing commitments like Reserved Instances and Savings Plans. This role is required after the final onboarding step.

Pump's AI models use this role to:

- Read service usage metadata (like VM and capacity data)

- Purchase and manage savings plans on your behalf

- Maintain visibility over usage patterns to ensure continuous optimization

Important: Pump never collects application-level data or user data-only metadata related to service usage.

Auto-pilot Role JSON

# Check if required parameters are provided
if [ $# -lt 2 ]; then
    echo "Usage: $0 <subscription_id> <service_principal_id>"
    echo "Example: $0 4d89996e-150a-464a-845e-e5ef5f190784 93d2af31-a8b3-4cef-86db-b762aa337c22"
    exit 1
fi

# Set variables from parameters
SUBSCRIPTION_ID="$1"
SERVICE_PRINCIPAL_ID="$2"
ROLE_NAME="Pump Autopilot Role"

echo "Using Subscription ID: $SUBSCRIPTION_ID"
echo "Using Service Principal ID: $SERVICE_PRINCIPAL_ID"

# Check if the role already exists
EXISTING_ROLE=$(az role definition list --name "$ROLE_NAME" --query "[].name" -o tsv)
if [ -n "$EXISTING_ROLE" ]; then
    echo "Role '$ROLE_NAME' already exists. Skipping creation."
else
    # Create the custom role definition
    echo "Creating custom role definition..."
    az role definition create --role-definition '{
      "Name": "'"$ROLE_NAME"'",
      "Description": "Custom role for Pump to manage costs",
      "AssignableScopes": [
        "/subscriptions/'"$SUBSCRIPTION_ID"'"
      ],
      "Actions": [
        "Microsoft.BillingBenefits/savingsPlanOrders/read",
        "Microsoft.BillingBenefits/savingsPlanOrders/action",
        "Microsoft.BillingBenefits/savingsPlanOrders/write",
        "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
        "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
        "Microsoft.BillingBenefits/savingsPlanOrders/*/action",
        "Microsoft.Capacity/*/read",
        "Microsoft.Capacity/*/action",
        "Microsoft.Capacity/*/write",
        "Microsoft.Billing/*/read",
        "Microsoft.Billing/billingProperty/read",
        "Microsoft.Consumption/*",
        "Microsoft.CostManagement/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": []
    }'

    # Check if role creation was successful
    if [ $? -ne 0 ]; then
        echo "Error: Failed to create custom role definition."
        exit 1
    fi

    sleep 2
fi

# Assign the custom role to the service principal
echo "Assigning custom role to service principal..."
az role assignment create --assignee "$SERVICE_PRINCIPAL_ID" --role "$ROLE_NAME" --scope "/subscriptions/$SUBSCRIPTION_ID"

echo "Success: Role creation and assignment complete!"

Role Deployment

If the Pump role is accidentally deleted or needs to be updated:

1. Log in to the Pump platform.

2. Navigate to: Settings > Integrations

3. Click the three-dot menu next to your Azure subscription.

4. Select the role type (Read-only or Autopilot) and redeploy using the script provided.

Terraform Support

If your infrastructure is Terraform-based and CLI execution is not suitable, Pump also supports Terraform-based deployments. Please contact [email protected] for more information.

PreviousStep 2 - Authorize Pump NextWelcome to Pump University

Last updated 7 months ago