...
Cloudaware needs access to Azure Key Vault* to check the expiration date of keys and secrets. Set up the access policy for the Cloudaware application (in this guide, cloudaware-api-access) on the Key Vault level.
Log in to the Azure portal. Select Key Vaults.
Select the key vault. Go to 'Access Policies'on the left→ +Add Access Policy.
Set up the key vault:
Key permissions: List
Secret permissions: List
Certificate permissions: List
Click Next.
Select principal: cloudaware-api-access Click Add.
Select the application → Next → Create.Repeat steps 1-3 for each key vault.
...
Cloudaware supports auto-discovery of Azure Reservations. To grant Cloudaware access to Azure reservations:
Log in to the Azure portal. Select Reservations.
Select the tab 'Role Assignment'. Click +Add → Add role assignments.
a. Under the tab 'Job function roles' select Reservations Reader → Next.
b. Under the tab 'Members' select the following settings:
Role: Reservations Reader
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access)→Select.
Click Review + assign.
Note |
---|
Please allow up to 24 hours for Cloudaware to collect Azure reservations data. |
To view Azure Reservations and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → RESERVATIONS.
Azure Kubernetes
Cloudaware supports auto-discovery of AKS Clusters and AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable the discovery and collection of AKS Cluster objects.
Log in to the Azure portal. Select Subscriptions.
Select the subscription. Go to 'Access Control (IAM)' on the left. Click +Add → Add role assignment:
a. Under the tab 'Role': in 'Job function roles' select Azure Kubernetes Service Cluster User Role → Next.
b. Under the tab 'Members':
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access)→Select.
Click Review + assign.To view Azure AKS resources, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → COMPUTE → AKS.
Note |
---|
If AKS cluster is Active Directory-managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware. |
...
To grant Cloudaware access to Azure Active Directory Devices:
Log in to the Azure portal. Select App registrations.
Select the Azure application created for Cloudaware access (in this guide, cloudaware-api-access). Go to API permissions → Add a permission.
Select Microsoft Graph → Application permissions:
In DeviceManagementManagedDevices: select DeviceManagementManagedDevices.Read.All → check the box → click Add permissions.
In DeviceManagementConfiguration: select DeviceManagementConfiguration.Read.All → check the box → click Add permissions.Click Grant admin consent for
<Directory Name>
to populate permissions.To view Azure Active Directory Devices and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → SECURITY, IDENTITY, COMPLIANCE → Active Directory → Azure Active Directory Devices.
The following Azure Active Directory objects managed by Intune* are supported:Azure Active Directory DevicesDevice
Azure Active Directory Device Config
Azure Active Directory Device Fact
Azure Active Directory Device MountPoint
...
To tag Azure resources directly from Cloudaware using Tag Analyzer, assign the Tag Contributor* role:
Log in to the Azure portal. Select Subscriptions.
Select the subscription → go to 'Access Control (IAM)' on the left. Click +Add → Add role assignment.
a. Under the tab 'Job function roles' select Tag Contributor** → Next.
b. Under the tab 'Members' select the following settings:
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access)→Select.
Click Review + assign.
*You can also create a custom role to define the scope of permissions for tagging.
...