Use Network Contributor Role for Managing Azure Network Resources

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, select Overview, and click on the name (link) of the Azure subscription associated with the selected cluster, listed next to Subscription.

07 In the navigation panel, choose Access control (IAM), and select the Role assigments tab to access the role assignments available for the selected subscription.

08 Click inside the Role filter box, type Network Contributor, and press Enter. If no results were found, there is no Network Contributor role assignment created for the associated subscription, therefore the selected Azure Kubernetes Service (AKS) cluster is not using a Network Contributor role to manage network resources.

09 Repeat steps no. 5 – 8 for each AKS cluster provisioned in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription:

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names:

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks show command (Windows/macOS/Linux) to describe the AKS cluster resource ID, which contains the ID of the Azure subscription associated with the selected cluster:

az aks show 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --query 'id'

04 The command output should return the resource ID of the selected the AKS cluster:

"/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-project5-aks-cluster"

05 Run role assignment list command (Windows/macOS/Linux) to list the name of each role assigned to the cluster's subscription:

az role assignment list 
  --scope /subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd 
  --output table 
  --query '[*].roleDefinitionName'

06 The command output should return the requested role names:

Result
-------------------------------------------------
Owner
Security Admin
Storage Account Contributor
Storage Blob Data Reader
Storage Account Contributor
Storage Blob Data Owner
Log Analytics Contributor
Kubernetes Agentless Operator
Kubernetes Extension Contributor
Azure Kubernetes Service Contributor Role

07 Repeat step no. 3 - 6 for each AKS cluster available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Subscriptions blade at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade to access all your Microsoft Azure subscriptions.

03 Click on the name (link) of the Azure subscription that you want to configure, listed in the Subscription name column.

04 In the navigation panel, select Access control (IAM), choose Add from the blade top menu, and select Add role assigment.

05 For Role, select the Job function roles tab, find and select the Network Contributor role, and choose Next to continue the assignment process.

06 For Members, select User, group, or service principal next to Assign access to, choose Select members, and select the specific user, group, or service principal to whom you want to assign the Network Contributor role. Choose Review + assign to continue.

07 For Review + assign, review the role assigment information, then choose Review + assign to complete the assignment process.

08 Repeat steps no. 3 – 7 for each subscription that you want to configure, available within your Microsoft Azure cloud account.

01 Run role assignment create command (OSX/Linux/UNIX) to assign the Network Contributor role to the user, group, or service principal specified for the --assignee-object-id command parameter, within the specified Azure subscription:

az role assignment create 
  --role "Network Contributor" 
  --assignee-object-id abcd1234-abcd-1234-abcd-1234abcd1234 
  --scope /subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd

02 The command output should return the new role assignment information:

{
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2023-07-19T08:20:54.040717+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-1234abcd1234",
	"name": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalType": "User",
	"roleDefinitionId": "/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
	"scope": "/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"updatedOn": "2023-07-19T08:20:54.286717+00:00"
}

03 Repeat steps no. 1 and 2 for each subscription that you want to configure, available in your Microsoft Azure cloud account.