Skip to content

Azure Permissions

Before getting started with Matcha, we need to make sure that you have the correct permissions to provision resources on Azure.

There is a presumption made here that you have an Azure account with an active subscription which has billing enabled. For a guide on how to set that up, see here.

Why does Matcha require certain permissions?

As a provisioning tool, Matcha interacts with Azure on your behalf, hiding away the complexities of standing up resources. To do the provisioning, Matcha issues commands through your Azure account and to do that, your account needs to have the correct permissions enabled within a subscription.

What permissions does Matcha require?

Your account is required to have either:

  1. Owner; OR
  2. A combination of: Contributor + User Access Administrator

Note: These are high level roles with a lot of privileges and we're actively working on introducing more granular permissions.

How do I check what permissions my account has?

There are two ways you can do this, one is via the Azure CLI and the other is via the Azure Portal.

Azure CLI

To check using the Azure CLI, do the following (replacing <your-account-name>):

az login
az role assignment list --assignee <your-account-name> --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'

You should see something similar to the following (there might be multiple roles):

    "principalName": "<your-account-name>",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/<uuid>"

Check the roleDefinitionName field and if either of the two roles defined above are present, then you have the correct level of permissions to run matcha provision.

Azure Portal

To check your permissions using the Azure portal, do the following:

  • In the Azure portal, go to Subscriptions
  • Select the subscription that you want to check the roles for
  • Click Access Control (IAM) in the panel to the left

Azure Access Control Location

Azure Access Control
  • Go to the Role assignments tab
  • Check in the Role column whether it matches one of the required roles

Azure Role Assignments

Azure Role Assignments

From the above, we can see that the user has the Owner permissions.