|
| 1 | +--- |
| 2 | +title: Configure Access Control in Device Update for IoT Hub | Microsoft Docs |
| 3 | +description: Configure Access Control in Device Update for IoT Hub. |
| 4 | +author: eshashah |
| 5 | +ms.author: eshashah |
| 6 | +ms.date: 10/31/2022 |
| 7 | +ms.topic: how-to |
| 8 | +ms.service: iot-hub-device-update |
| 9 | +--- |
| 10 | + |
| 11 | +# Configure access control roles for Device Update resources |
| 12 | + |
| 13 | +In order for users to have access to Device Update, they must be granted access to the Device Update account, Instance and set the required access to the linked IoT hub. |
| 14 | + |
| 15 | +## Configure access control for Device Update account |
| 16 | + |
| 17 | +# [Azure portal](#tab/portal) |
| 18 | + |
| 19 | +1. In your Device Update account, select **Access control (IAM)** from the navigation menu. |
| 20 | + |
| 21 | + :::image type="content" source="media/create-device-update-account/account-access-control.png" alt-text="Screenshot of access Control within Device Update account." lightbox="media/create-device-update-account/account-access-control.png"::: |
| 22 | + |
| 23 | +2. Select **Add role assignments**. |
| 24 | + |
| 25 | +3. On the **Role** tab, select a Device Update role from the available options: |
| 26 | + |
| 27 | + * Device Update Administrator |
| 28 | + * Device Update Reader |
| 29 | + * Device Update Content Administrator |
| 30 | + * Device Update Content Reader |
| 31 | + * Device Update Deployments Administrator |
| 32 | + * Device Update Deployments Reader |
| 33 | + |
| 34 | + For more information, [Learn about Role-based access control in Device Update for IoT Hub](device-update-control-access.md). |
| 35 | + |
| 36 | + :::image type="content" source="media/create-device-update-account/role-assignment.png" alt-text="Screenshot of access Control role assignments within Device Update account." lightbox="media/create-device-update-account/role-assignment.png"::: |
| 37 | + |
| 38 | +4. Select **Next** |
| 39 | +5. On the **Members** tab, select the users or groups that you want to assign the role to. |
| 40 | + |
| 41 | + :::image type="content" source="media/create-device-update-account/role-assignment-2.png" alt-text="Screenshot of access Control member selection within Device Update account." lightbox="media/create-device-update-account/role-assignment-2.png"::: |
| 42 | + |
| 43 | +6. Select **Review + assign** |
| 44 | +7. Review the new role assignments and select **Review + assign** again |
| 45 | +8. You're now ready to use Device Update from within your IoT Hub |
| 46 | + |
| 47 | +# [Azure CLI](#tab/cli) |
| 48 | + |
| 49 | +The following roles are available for assigning access to Device Update: |
| 50 | + |
| 51 | +* Device Update Administrator |
| 52 | +* Device Update Reader |
| 53 | +* Device Update Content Administrator |
| 54 | +* Device Update Content Reader |
| 55 | +* Device Update Deployments Administrator |
| 56 | +* Device Update Deployments Reader |
| 57 | + |
| 58 | +For more information, [Learn about Role-based access control in Device Update for IoT Hub](device-update-control-access.md). |
| 59 | + |
| 60 | +Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to configure access control for your Device Update account. |
| 61 | + |
| 62 | +Replace the following placeholders with your own information: |
| 63 | + |
| 64 | +* *\<role>*: The Device Update role that you're assigning. |
| 65 | +* *\<user_group>*: The user or group that you want to assign the role to. |
| 66 | +* *\<account_id>*: The resource ID for the Device Update account that the user or group will get access to. You can retrieve the resource ID by using the [az iot device-update account show](/cli/azure/iot/device-update/account#az-iot-device-update-account-show) command and querying for the ID value: `az iot device-update account show -n <account_name> --query id`. |
| 67 | + |
| 68 | +```azurecli-interactive |
| 69 | +az role assignment create --role '<role>' --assignee <user_group> --scope <account_id> |
| 70 | +``` |
| 71 | +--- |
| 72 | + |
| 73 | +## Configure access for Azure Device Update service principal in linked IoT hub |
| 74 | + |
| 75 | +Device Update for IoT Hub communicates with IoT Hub to manage deployments and updates and to get information about devices. To enable the access, you need to give the **Azure Device Update** service principal access with the **IoT Hub Data Contributor** role. |
| 76 | + |
| 77 | +# [Azure portal](#tab/portal) |
| 78 | + |
| 79 | +1. In the Azure portal, navigate to the IoT hub connected to your Device Update instance. |
| 80 | + |
| 81 | + :::image type="content" source="media/create-device-update-account/navigate-to-iot-hub.png" alt-text="Screenshot of instance and linked IoT hub." lightbox="media/create-device-update-account/navigate-to-iot-hub.png"::: |
| 82 | + |
| 83 | +1. Select **Access Control(IAM)** from the navigation menu. Select **Add** > **Add role assignment**. |
| 84 | + |
| 85 | + :::image type="content" source="media/create-device-update-account/iot-hub-access-control.png" alt-text="Screenshot of access Control within IoT Hub." lightbox="media/create-device-update-account/iot-hub-access-control.png"::: |
| 86 | + |
| 87 | +3. In the **Role** tab, select **IoT Hub Data Contributor**. Select **Next**. |
| 88 | + |
| 89 | + :::image type="content" source="media/create-device-update-account/role-assignment-iot-hub.png" alt-text="Screenshot of access Control role assignment within IoT Hub." lightbox="media/create-device-update-account/role-assignment-iot-hub.png":::** |
| 90 | + |
| 91 | +4. For **Assign access to**, select **User, group, or service principal**. Select **Select Members** and search for '**Azure Device Update**' |
| 92 | + |
| 93 | + :::image type="content" source="media/create-device-update-account/assign-role-to-du-service-principal.png" alt-text="Screenshot of access Control member selection for IoT Hub." lightbox="media/create-device-update-account/assign-role-to-du-service-principal.png"::: |
| 94 | + |
| 95 | +6. Select **Next** > **Review + Assign** |
| 96 | + |
| 97 | +To validate that you've set permissions correctly: |
| 98 | + |
| 99 | +1. In the Azure portal, navigate to the IoT hub connected to your Device Update instance. |
| 100 | +1. Select **Access Control(IAM)** from the navigation menu. |
| 101 | +1. Select **Check access**. |
| 102 | +1. Select **User, group, or service principal** and search for '**Azure Device Update**' |
| 103 | +1. After clicking on **Azure Device Update**, verify that the **IoT Hub Data Contributor** role is listed under **Role assignments** |
| 104 | + |
| 105 | +# [Azure CLI](#tab/cli) |
| 106 | + |
| 107 | +Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to create a role assignment for the Azure Device Update service principal. |
| 108 | + |
| 109 | +Replace *\<resource_id>* with the resource ID of your IoT hub. You can retrieve the resource ID by using the [az iot hub show](/cli/azure/iot/hub#az-iot-hub-show) command and querying for the ID value: `az iot hub show -n <hub_name> --query id`. |
| 110 | + |
| 111 | +```azurecli |
| 112 | +az role assignment create --role "IoT Hub Data Contributor" --assignee https://api.adu.microsoft.com/ --scope <resource_id> |
| 113 | +``` |
| 114 | +--- |
| 115 | + |
| 116 | +## Next steps |
| 117 | + |
| 118 | +Try updating a device using one of the following quick tutorials: |
| 119 | + |
| 120 | +* [Update a simulated IoT Edge device](device-update-simulator.md) |
| 121 | +* [Update a Raspberry Pi](device-update-raspberry-pi.md) |
| 122 | +* [Update an Ubuntu Server 18.04 x64 Package agent](device-update-ubuntu-agent.md) |
0 commit comments