Azure Provider
The Azure provider enables integration with Microsoft Azure, providing role-based access control (RBAC) capabilities through Azure Active Directory and Azure Resource Manager.
Capabilities
- Role-Based Access Control (RBAC): Supports Azure RBAC roles and assignments
- Subscription Management: Access to Azure subscriptions and resource groups
- Permission Management: Access to Azure resource provider operations and permissions
- Identity Integration: Support for Azure AD authentication and service principals
Prerequisites
Azure Account Setup
- Azure Subscription: Active Azure subscription with appropriate permissions
- Azure AD Permissions: The agent needs permissions to:
- Read role assignments and definitions
- Access subscription and resource group information
- List Azure resource provider operations
Required Azure Permissions
The following Azure permissions are required for the agent to function properly:
{
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
Authentication Methods
The Azure provider supports multiple authentication methods:
1. Service Principal (Recommended)
Uses Azure service principal with client credentials:
providers:
azure-prod:
name: Azure Production
provider: azure
config:
subscription_id: YOUR_SUBSCRIPTION_ID
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
2. Managed Identity (Default)
When no credentials are provided, uses the default Azure credential chain (managed identity, environment variables, etc.):
providers:
azure-prod:
name: Azure Production
provider: azure
config:
subscription_id: YOUR_SUBSCRIPTION_ID
3. Resource Group Scoped
Optionally scope to a specific resource group:
providers:
azure-prod:
name: Azure Production
provider: azure
config:
subscription_id: YOUR_SUBSCRIPTION_ID
resource_group: YOUR_RESOURCE_GROUP_NAME
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
Configuration Options
| Option | Type | Required | Default | Description |
|---|---|---|---|---|
subscription_id | string | Yes | - | Azure subscription ID |
tenant_id | string | No | - | Azure AD tenant ID (required for service principal) |
client_id | string | No | - | Service principal client ID |
client_secret | string | No | - | Service principal client secret |
resource_group | string | No | - | Resource group name (optional scoping) |
Getting Credentials
Service Principal Setup
-
Create Service Principal: In Azure Portal → Azure Active Directory → App Registrations → New Registration
- Get Application Details:
- Application (client) ID: Copy this value for
client_id - Directory (tenant) ID: Copy this value for
tenant_id
- Application (client) ID: Copy this value for
- Create Client Secret: In the app registration → Certificates & secrets → New client secret
- Copy the secret value for
client_secret
- Copy the secret value for
- Assign Permissions: In Azure Portal → Subscriptions → Your Subscription → Access Control (IAM)
- Add role assignment with “Reader” role minimum
- Assign to your service principal
Azure CLI Setup
-
Install Azure CLI: Follow the Azure CLI installation guide
- Login:
az login - Get Subscription ID:
az account show --query id --output tsv
Managed Identity Setup (Azure Resources)
- Enable Managed Identity: On your Azure resource (VM, App Service, etc.)
- Assign Permissions: Grant the managed identity appropriate RBAC permissions
- No Configuration Needed: Agent will automatically use the managed identity
Example Configurations
Production Environment with Service Principal
version: "1.0"
providers:
azure-prod:
name: Azure Production
description: Production Azure environment
provider: azure
enabled: true
config:
subscription_id: YOUR_SUBSCRIPTION_ID
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
Development Environment with Managed Identity
version: "1.0"
providers:
azure-dev:
name: Azure Development
description: Development Azure environment
provider: azure
enabled: true
config:
subscription_id: YOUR_SUBSCRIPTION_ID
Resource Group Scoped Configuration
version: "1.0"
providers:
azure-rg:
name: Azure Resource Group
description: Scoped to specific resource group
provider: azure
enabled: true
config:
subscription_id: YOUR_SUBSCRIPTION_ID
resource_group: YOUR_RESOURCE_GROUP_NAME
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
Multi-Subscription Setup
version: "1.0"
providers:
azure-prod:
name: Azure Production
description: Production subscription
provider: azure
enabled: true
config:
subscription_id: YOUR_PROD_SUBSCRIPTION_ID
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
azure-staging:
name: Azure Staging
description: Staging subscription
provider: azure
enabled: true
config:
subscription_id: YOUR_STAGING_SUBSCRIPTION_ID
tenant_id: YOUR_TENANT_ID
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
Features
Azure RBAC Integration
The Azure provider automatically discovers and indexes Azure built-in and custom roles, making them available for role elevation requests.
Resource Provider Operations
Access to comprehensive Azure resource provider operations and permissions for fine-grained access control.
Subscription and Resource Group Management
Support for managing access across multiple Azure subscriptions and resource groups.
Troubleshooting
Common Issues
- Authentication Failures
- Verify service principal credentials are correct
- Check Azure AD permissions for the service principal
- Ensure subscription ID is valid and accessible
- Permission Issues
- Verify the service principal has Reader role on the subscription
- Check if resource group exists and is accessible
- Ensure tenant ID matches the subscription’s tenant
- Managed Identity Issues
- Verify managed identity is enabled on the Azure resource
- Check if managed identity has appropriate RBAC permissions
- Ensure the Azure resource can access Azure metadata service
Debugging
Enable debug logging to troubleshoot Azure provider issues:
logging:
level: debug
Look for Azure-specific log entries to identify authentication and permission issues.
Environment Variables
The Azure provider also supports standard Azure environment variables:
AZURE_CLIENT_ID: Service principal client IDAZURE_CLIENT_SECRET: Service principal client secretAZURE_TENANT_ID: Azure AD tenant IDAZURE_SUBSCRIPTION_ID: Azure subscription ID