Pump only requests billing-level access in Azure, allowing customers to retain full administrative control over their Azure subscriptions and services.
Pump operates through 2 types of roles: Read-only and Auto-pilot.
Read Only Role
This role is used during the initial . It requires read-only permissions to access up to one year of historical billing and usage data via Azure Cost Management and Consumption APIs. This includes visibility into your resource groups, reservation coverage, and infrastructure metadata (e.g., whether your workloads are already utilizing savings plans).
Pump's optimization engine uses this data to calculate ideal savings opportunities. Once onboarding is complete, the read-only role continues to be used to display costs and savings within the Pump dashboard.
- Read service usage metadata (like VM and capacity data)
- Purchase and manage savings plans on your behalf
- Maintain visibility over usage patterns to ensure continuous optimization
Important: Pump never collects application-level data or user data-only metadata related to service usage.
# Check if required parameters are provided
if [ $# -lt 2 ]; then
echo "Usage: $0 <subscription_id> <service_principal_id>"
echo "Example: $0 4d89996e-150a-464a-845e-e5ef5f190784 93d2af31-a8b3-4cef-86db-b762aa337c22"
exit 1
fi
# Set variables from parameters
SUBSCRIPTION_ID="$1"
SERVICE_PRINCIPAL_ID="$2"
ROLE_NAME="Pump Autopilot Role"
echo "Using Subscription ID: $SUBSCRIPTION_ID"
echo "Using Service Principal ID: $SERVICE_PRINCIPAL_ID"
# Check if the role already exists
EXISTING_ROLE=$(az role definition list --name "$ROLE_NAME" --query "[].name" -o tsv)
if [ -n "$EXISTING_ROLE" ]; then
echo "Role '$ROLE_NAME' already exists. Skipping creation."
else
# Create the custom role definition
echo "Creating custom role definition..."
az role definition create --role-definition '{
"Name": "'"$ROLE_NAME"'",
"Description": "Custom role for Pump to manage costs",
"AssignableScopes": [
"/subscriptions/'"$SUBSCRIPTION_ID"'"
],
"Actions": [
"Microsoft.BillingBenefits/savingsPlanOrders/read",
"Microsoft.BillingBenefits/savingsPlanOrders/action",
"Microsoft.BillingBenefits/savingsPlanOrders/write",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read",
"Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write",
"Microsoft.BillingBenefits/savingsPlanOrders/*/action",
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Billing/*/read",
"Microsoft.Billing/billingProperty/read",
"Microsoft.Consumption/*",
"Microsoft.CostManagement/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}'
# Check if role creation was successful
if [ $? -ne 0 ]; then
echo "Error: Failed to create custom role definition."
exit 1
fi
sleep 2
fi
# Assign the custom role to the service principal
echo "Assigning custom role to service principal..."
az role assignment create --assignee "$SERVICE_PRINCIPAL_ID" --role "$ROLE_NAME" --scope "/subscriptions/$SUBSCRIPTION_ID"
echo "Success: Role creation and assignment complete!"
Role Deployment
If the Pump role is accidentally deleted or needs to be updated:
1. Log in to the Pump platform.
2. Navigate to: Settings > Integrations
3. Click the three-dot menu next to your Azure subscription.
4. Select the role type (Read-only or Autopilot) and redeploy using the script provided.
Terraform Support
If your infrastructure is Terraform-based and CLI execution is not suitable, Pump also supports Terraform-based deployments. Please contact support@pump.co for more information.
The Autopilot role builds on the Read-only role, with additional permissions to manage billing commitments like Reserved Instances and Savings Plans. This role is required after the .