English

(Azure) Access Control (IAM) Policy Management

Access Control Policy

SpaceONE highly recommends to set appropriate permissions to Resource groups for each purpose.

Please, Set service account, To Create API for each use case:

General Collector

Collector requires appropriate authorities to collect cloud resources. We strongly recommend to limit collector's service account its permission to read only access.

Otherwise, you can add more restrictions per resource groups or actions. One of the useful example is to restrict its rights within resource groups.

Prerequisite

This user guide tutorial assumes that a subscription id is already created.

There are two options for giving permission to Azure resources which SpaceONE is going to collect.

  • Grant Reader role to resource group where resources are located. If you give a role to resource group, SpaceONE can only collect resources located in this resource group.

  • Grant Reader role to subscription where resources are located. If you give a role to the subscription, SpaceONE can collect resources in all resource groups in this subscription.

If you want to know more about Azure's access control policies, visit the link below.

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Grant Roles to resource groups

STEP 1. Log in Azure Portal > Resource groups

Select the resource group for which the collector will collect resources.

STEP 2. Click Access control (IAM) Navigation tab, and click +Add button.

STEP 3: Assign the Reader role to the account. The account should have an access permission in this resource group.

Troubleshooting

Authorization

Please, follow the steps on troubleshooting guide below if you face any of error messages above.

1. (AuthorizationFailed) Client does not have authorization

The client client_id with object id object_id does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/read over scope subscription_id or the scope is invalid. If access was recently granted, please refresh your credentials

STEP 1: Log in Azure Portal and Drive to > Subscriptions

STEP 2: Click the subscription name where resources are located.

STEP 3: Click +Add role assignment button.

STEP 4: Add role assignment for followings as below

  • Role

    • Reader

  • Assign access to

    • User, group, or service principal

  • Select

    • App that has registered on Active directory at > Azure ActiveDirectory > Registered App

Note: Service Account name and Registered App name may be confused. Please, Select Registered App as below (Different Icons).

Previous(Google Cloud) Service Account Policy ManagementNext(Oracle Cloud Infrastructure) Identity and Access Management(IAM) Policy Management

Last updated