(Azure) Access Control (IAM) Policy Management
Access Control Policy
SpaceONE highly recommends to set appropriate permissions to Resource groups for each purpose.
Please, Set service account, To Create API for each use case:
General Collector
Collector requires appropriate authorities to collect cloud resources. We strongly recommend to limit collector's service account its permission to read only access.
Otherwise, you can add more restrictions per resource groups or actions. One of the useful example is to restrict its rights within resource groups.
Prerequisite
This user guide tutorial assumes that a subscription id
is already created.
There are two options for giving permission to Azure resources which SpaceONE is going to collect.
Grant
Reader role
to resource group where resources are located. If you give a role to resource group, SpaceONE can only collect resources located in this resource group.Grant
Reader role
to subscription where resources are located. If you give a role to the subscription, SpaceONE can collect resources in all resource groups in this subscription.
If you want to know more about Azure's access control policies, visit the link below.
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Grant Roles to resource groups
STEP 1. Log in Azure Portal > Resource groups
Select the resource group for which the collector will collect resources.
STEP 2. Click Access control (IAM)
Navigation tab, and click +Add
button.
STEP 3: Assign the Reader role
to the account. The account should have an access permission in this resource group.
Troubleshooting
Authorization
Please, follow the steps on troubleshooting guide below if you face any of error messages above.
1. (AuthorizationFailed) Client does not have authorization
The client client_id
with object id object_id
does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/read over scope subscription_id
or the scope is invalid. If access was recently granted, please refresh your credentials
STEP 1: Log in Azure Portal and Drive to > Subscriptions
STEP 2: Click the subscription name where resources are located.
STEP 3: Click +Add role assignment
button.
STEP 4: Add role assignment for followings as below
Role
Reader
Assign access to
User, group, or service principal
Select
App that has registered on Active directory
at > Azure ActiveDirectory > Registered App
Note: Service Account name and Registered App name may be confused. Please, Select Registered App as below (Different Icons).
Last updated
Was this helpful?