Skip to content

Authentication with Microsoft Azure

This document describes the various agents that Promitor provides, what Microsoft Azure services they are consuming and what the minimal required permissions are that every entity requires to be functional.

Overview

Here is an overview of our Promitor agents and their integrations:

Azure Integration Promitor Scraper Promitor Resource Discovery
Azure Monitor
Azure Resource Graph

Each agent needs an Azure AD identity to authenticate with to Microsoft Azure.

In order to achieve this, you'll need to create an Azure AD Application,

Supported Authentication Mechanisms

Our agents provide the following authentication mechanisms:

  • Service principle - Use application id & secret of the Azure AD entity that has been pre-created to authenticate with
  • Managed Identity - Use zero-secret authentication by letting Microsoft handle the authentication for you (docs)

For details how to configure the authentication, we recommend reading our agent configuration documentation.

Service Principle Authentication

Availability Badge

Every agent needs to be configured with the following environment variables:

  • PROMITOR_AUTH_APPKEY - Secret of the Azure AD entity to authenticate with

The app key can also be read from a file by specifying the file's location:

authentication:
  # Options are ServicePrincipal, SystemAssignedManagedIdentity, UserAssignedManagedIdentity.
  mode: ServicePrincipal # Optional. Default: ServicePrincipal.
  identityid: # [app id]
  secretFilePath: # [the name of the folder containing the secret file]
  secretFileName: # [the name of the file containing the app key]  

Managed Identity Authentication

Availability Badge

When using Managed Identity, you can use one of the following scenarios:

  • System-assigned Managed Identity - Use the identity of the Azure resource on which it runs and let Azure handle the authentication.
  • User-assigned Managed Identity - Use a pre-created Azure AD identity but let Azure handle the authentication for you

⚠ In order to use managed identity, your Kubernetes cluster must be hosted on Microsoft Azure to leverage this.

Permission Overview

Required permissions for Azure Monitor

Identities that are used to integrate with Azure Monitor need to have Monitoring Reader permission on the subscription, resource group and/or resources that will be queried.

More information can be found here.

Required permissions for Azure Resource Graph

Identities that are used to integrate with Azure Resource Graph need to have Reader permission on the subscription, resource group and/or resources that will be queried.

⚠ If you are re-using this identity to integrate with Azure Monitor, make sure to grant the required permissions to reflect that as well.

More information can be found here.

← back