Skip to main content

Azure

Steps to Generate Credentials for Azure

  1. Login to Microsoft Azure Portal

  2. Go to Subscriptions

  3. Get your {subscription-id} in form of 917ecd69-e57e-48b9-9cd2-7fe7796d994e

  4. Open Cloud Shell from the top right hand corner

  5. Select Bash

  6. Type the following command with your target subscription id

      az ad sp create-for-rbac --role Reader --scopes /subscriptions/{subscription-id}

    Or if you want to limit to a specific resource group(s)

    az ad sp create-for-rbac --role Reader --scopes/subscriptions/{subscription-id}/resourceGroups/{subscription-id}

  7. Assign the role Azure Kubernetes Service Cluster User Role to the newly created service principal for k8s

    az role assignment create --role "Azure Kubernetes Service Cluster User Role" --assignee {appId} --scopes {Same as above}

  8. Create a new project with newly generated credentials

Existing Functionalities

info

Go to API Reference to see the list of APIs.

  1. VM - List all Azure information (POST /api/v1/azure)
    1. Includes: regions, vms, vnets, subnets, nsgs, disks, keypairs, and clusters
  2. VM - List Azure Virtual Machines (POST /api/v1/azure/vms)
  3. Buckets - List Azure Buckets (POST /api/v1/azure/buckets)
  4. K8s - List Azure Kubernetes Clusters (POST /api/v1/azure/k8s)

Required Permissions

warning

This is not tested yet.

The permission assignment is a bit more complicated on Azure. You need to assign the following permissions to the service principal:

  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action

You can create a custom role with these permissions and assign it to the service principal. See this page for more details. Then you can assign the role to the service principal following this page.

Vulnerability Scan Permission

The following permissions are required:

  • Microsoft.Compute/virtualMachines/runCommand/write
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete

To Create a custom role with these permissions, see this page. Then you can assign the role to the service principal following this page.