RBAC Permissions

The following Azure RBAC roles are required:

Role	Purpose
Contributor	Resource creation and management
Storage Blob Data Reader	Cross-region storage access for DR
Azure Kubernetes Service Cluster Admin Role	AKS cluster management
DNS Zone Contributor	DNS record management
Monitoring Contributor	Alert policies and action groups

Automatic RBAC for DR: When deploying a standby cluster (dr="standby"), Terraform automatically creates a "Storage Blob Data Reader" role assignment on the primary storage account for the secondary cluster's AKS managed identity (azurerm_role_assignment.dr_read_primary_storage). LogScale still uses shared keys for storage access today, so this role assignment is not required for LogScale authentication, but it is created for parity/visibility and future-proofing.

Cross-resource-group access: The standby deployment uses azapi_update_resource to patch the primary storage account's firewall rules (adding the secondary AKS outbound IPs and subnets). The deployer identity must have write access (Contributor or Storage Account Contributor) scoped to the primary storage account's resource group. If primary and secondary are in the same subscription, a subscription-level Contributor role covers this automatically.

Versions of this Page

Deployment Overview

Planning Your Deployment

Instance Sizing

Authentication and identity providers

Storage Architecture

Installing Using Containers

Installing On Bare Metal or Cloud Instance

Reference Architectures

Installing Load Balancers

Deploying Auxiliary Services

Configuration Settings

Managing Your Deployment

Testing Your Deployment

RBAC Permissions

Enter search term