Authentication with Microsoft Azure¶
This document describes the various agents that Promitor provides, what Microsoft Azure services they are consuming and what the minimal required permissions are that every entity requires to be functional.
Overview¶
Here is an overview of our Promitor agents and their integrations:
| Azure Integration | Promitor Scraper | Promitor Resource Discovery |
|---|---|---|
| Azure Monitor | ✅ | ❌ |
| Azure Resource Graph | ❌ | ✅ |
Each agent needs an Azure AD identity to authenticate with to Microsoft Azure.
In order to achieve this, you'll need to create an Azure AD Application,
Supported Authentication Mechanisms¶
Our agents provide the following authentication mechanisms:
- Service principle - Use application id & secret of the Azure AD entity that has been pre-created to authenticate with
- Managed Identity - Use zero-secret authentication by letting Microsoft handle the authentication for you (docs)
For details how to configure the authentication, we recommend reading our agent configuration documentation.
Service Principle Authentication¶
Every agent needs to be configured with the following environment variables:
- PROMITOR_AUTH_APPKEY - Secret of the Azure AD entity to authenticate with
The app key can also be read from a file by specifying the file's location:
azureAuthentication:
identity:
id: # [app id]
secretFilePath: # [the name of the folder containing the secret file]
secretFileName: # [the name of the file containing the app key]
Managed Identity Authentication¶
When using Managed Identity, you can use one of the following scenarios:
- System-assigned Managed Identity - Use the identity of the Azure resource on which it runs and let Azure handle the authentication.
- User-assigned Managed Identity - Use a pre-created Azure AD identity but let Azure handle the authentication for you
⚠ In order to use managed identity, your Kubernetes cluster must be hosted on Microsoft Azure to leverage this.
Permission Overview¶
Required permissions for Azure Monitor¶
Identities that are used to integrate with Azure Monitor need to have Monitoring Reader permission on the
subscription, resource group and/or resources that will be queried.
More information can be found here.
Required permissions for Azure Resource Graph¶
Identities that are used to integrate with Azure Resource Graph need to have Reader permission on the
subscription, resource group and/or resources that will be queried.
⚠ If you are re-using this identity to integrate with Azure Monitor, make sure to grant the required permissions to reflect that as well.
More information can be found here.