Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

c) Go to Access Control (IAM) on the left → click +Add → Add role assignment:

...

d) Grant the Cloud Cloudaware application with access to the management group in question:

...

2. Type the description: ca-api-key

3. Set EXPIRES to: 730 days (24 months)

4. Click Add.

5. Save the secret value in a secure location.

...

6 - Grant Access To Key Vaults


Сloudaware has to be granted with the access to Key Vault* to check the expiration date of keys and secrets. Set up the access policy for the Cloudaware application on the Key Vault level.

*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.

...

If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.

9 - Microsoft Devices Discovery (Intune) (optional)

Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more

...

  • Azure Active Directory Devices

  • Azure Active Directory Compliance Policies

  • Azure Active Directory Device Config

10 - Tagging Permissions for Cloudaware (optional)

Use the Tag Contributor role or create a custom role to define the scope of provided permissions on tagging (see 'Custom Role For Tagging').

...

The role Tag Contributor uses a recently released Azure API method. Learn more about the role

Cloudaware Setup

1 - Adding Azure Active Directory to Cloudaware
Anchor
AddingAzureActiveDirectorytoCloudaware
AddingAzureActiveDirectorytoCloudaware

...

3. The green light in 'Status' means that the Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.

...

2 - Adding Azure Subscription to Cloudaware

If you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to add subscriptions manually.

...

5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions that Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to SubscriptionsReader by default or higher).

3 - Understanding Azure Application in Cloudaware

Credentials such as the Azure Active Directory Application ID (Client  ID) and Client Secret are stored within the Azure Application entity in  Cloudawarein Cloudaware. Please note that an Azure Application can only be created when adding Azure AD.

...