Supported resource types and role assignments for Chaos Studio
The following table lists the supported resource types for faults, the target types, and suggested roles to use when you give an experiment permission to a resource of that type.
More information about role assignments can be found on the Azure built-in roles page.
| Resource type | Target name/type | Suggested role assignment |
|---|---|---|
| Microsoft.Cache/Redis (service-direct) | Microsoft-AzureCacheForRedis | Redis Cache Contributor |
| Microsoft.ClassicCompute/domainNames (service-direct) | Microsoft-DomainNames | Classic Virtual Machine Contributor |
| Microsoft.Compute/virtualMachines (agent-based) | Microsoft-Agent | Reader |
| Microsoft.Compute/virtualMachineScaleSets (agent-based) | Microsoft-Agent | Reader |
| Microsoft.Compute/virtualMachines (service-direct) | Microsoft-VirtualMachine | Virtual Machine Contributor |
| Microsoft.Compute/virtualMachineScaleSets (service-direct) | Microsoft-VirtualMachineScaleSet | Virtual Machine Contributor |
| Microsoft.ContainerService/managedClusters (service-direct) | Microsoft-AzureKubernetesServiceChaosMesh (recommended) | Azure Kubernetes Service RBAC Admin Role and Azure Kubernetes Service Cluster User Role |
| Microsoft.ContainerService/managedClusters (service-direct) | Microsoft-AzureKubernetesServiceChaosMesh (fault version 2.1 with Kubernetes local accounts only) | Azure Kubernetes Service Cluster Admin Role |
| Microsoft.DocumentDb/databaseAccounts (Cosmos DB, service-direct) | Microsoft-Cosmos DB | Cosmos DB Operator |
| Microsoft.Insights/autoscalesettings (service-direct) | Microsoft-AutoScaleSettings | Web Plan Contributor |
| Microsoft.KeyVault/vaults (service-direct) | Microsoft-KeyVault | Azure Key Vault Contributor |
| Microsoft.Network/networkSecurityGroups (service-direct) | Microsoft-NetworkSecurityGroup | Network Contributor |
| Microsoft.Web/sites (service-direct) | Microsoft-AppService | Website Contributor |
| Microsoft.ServiceBus/namespaces (service-direct) | Microsoft-ServiceBus | Azure Service Bus Data Owner |
| Microsoft.EventHub/namespaces (service-direct) | Microsoft-EventHub | Azure Event Hubs Data Owner |
| Microsoft.LoadTestService/loadtests (service-direct) | Microsoft-AzureLoadTest | Load Test Contributor |
Custom role operations
If you prefer not to use the listed built-in roles, you can create custom roles and assign the exact operations needed for each fault. There are two ways to do this.
While creating an experiment within the Azure portal, you can select "Enable custom role creation and assignment" in the Permissions tab to allow Chaos Studio to deploy a custom role with the necessary operations.
Alternatively, if you aren't using the Azure portal or you prefer to manage operations individually, you can find the operations needed for each fault and manually assign them to a custom role. To see what roles are needed for a Chaos Studio fault, run the following Azure CLI REST command:
az rest --method get --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Chaos/locations/eastus/targetTypes/$TARGET_TYPE/capabilityTypes/$CAPABILITY_NAME?api-version=2024-01-01
As an example, see properties.azureRbacActions and properties.azureRbacDataActions for the Cosmos DB Failover fault.
> az rest --method get --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Chaos/locations/eastus/targetTypes/Microsoft-CosmosDB/capabilityTypes/Failover-1.0?api-version=2024-01-01"
{
"id": "/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Chaos/locations/eastus/targetTypes/CosmosDB/capabilityTypes/Failover-1.0",
"location": "eastus",
"name": "Failover-1.0",
"properties": {
"azureRbacActions": [
"Microsoft.DocumentDB/databaseAccounts/read",
"Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action"
],
"azureRbacDataActions": null,
"description": "",
"displayName": "",
"kind": "Fault",
"parametersSchema": "https://schema-tc.eastus.chaos-prod.azure.com/targetTypes/Microsoft-CosmosDB/capabilityTypes/Failover-1.0/parametersSchema.json",
"publisher": "Microsoft",
"runtimeProperties": {
"kind": "Continuous"
},
"targetType": "CosmosDB",
"urn": "urn:csci:microsoft:cosmosDB:failover/1.0"
},
"systemData": {
"createdAt": "2024-10-10T17:28:41.7377834+00:00",
"createdByType": "Application",
"lastModifiedAt": "2024-10-10T17:28:41.7377834+00:00"
},
"type": "Microsoft.Chaos/locations/targetTypes/capabilityTypes"
}