- Prerequisites
- Step 1: Locate app registrations
- Step 2: Begin new registration
- Step 3: Register the app
- Step 4: Capture details
- Step 5: Locate certificates & secrets.
- Step 6: Create secret
- Step 7: Launch cloud shell
- Step 8: Create a ReadOnly role
- Step 9: Assign the role to the app
- Step 10: Review
- Next Steps
- Progress tracker
Prepare an Azure Subscription for Import to Guardrails
In this guide you will prepare an Azure subscription to be imported into Guardrails. You will deploy a role with the minimal permissions needed for Guardrails to discover and monitor resources in your subscription.
This is the first guide in the Getting started with Azure series.
Prerequisites
Access to the Turbot Guardrails console with admin privilege.
An Azure subscription to import into Guardrails.
Step 1: Locate app registrations
Select App registrations.
Step 2: Begin new registration
Select New registration.
Step 3: Register the app
Name the application. The name ought to be recognizable as a Guardrails registration and relevant to the subscription to be imported. Turbot recommends the naming convention Guardrails - {Name of the subscription}. The Redirect URI is optional. The Guardrails integration doesn’t use the redirect URL as a part of authentication. If you would like to include your Guardrails workspace hostname, this is a handy reference location.
Select Register.
Step 4: Capture details
Capture the Application (client) ID and Directory (tenant) IDs, you will need them later. Select the linked name of your subscription.
Step 5: Locate certificates & secrets.
Select Certificates & secrets.
Step 6: Create secret
Select Create new secret, write a description, and select Add.
Step 7: Launch cloud shell
Capture the Value of the secret (not the Secret ID) for use later.
Select the cloud shell icon.
Step 8: Create a ReadOnly role
In the cloudshell, launch a text editor (e.g. nano guardrails_reader_role.json) and paste this JSON code, swapping in your subscription ID. (If needed you can use az account show --query id --output tsv to print the ID.)
NoteYou can use vim instead of nano
{ "name": "guardrails_reader", "description": "Basic Permissions needed for Guardrails Reader access", "actions": [ "*/read", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.KeyVault/vaults/secrets/read", "Microsoft.KeyVault/vaults/read" ], "notActions": [], "dataActions": [], "notDataActions": [], "assignableScopes": [ "/subscriptions/<<YOUR_SUBSCRIPTION_ID>>" ]}NoteThe Azure default
Readerrole does not include permissions to readKeyVault Secretsmetadata (not the secret itself), so they are included here.
If using nano, the commands to save and exit are CTRL-O (Write Out), Enter (to save), and CTRL-X (to exit).
Run this command to create the role.
az role definition create --role-definition guardrails_reader_role.jsonRun this command to verify the role was created.
az role definition list --name "guardrails_reader"
Step 9: Assign the role to the app
Navigate to the portal home page, select Subscriptions, select your subscription, then select Access control (IAM).
Expand the Add dropdown and choose Add role assignment.
Search for the role you created, click to select it, and select Next.
Select Select members, search for your registered app, and Select it.
Select Review + assign.
Step 10: Review
In this guide you've learned how to deploy an Azure role that grants minimal permissions to Guardrails.
Next Steps
In the next guide you will use the role you just created to import an Azure subscription into Guardrails.
Progress tracker
- Prepare an Azure Subscription for Import to Guardrails
- Connect an Azure Subscription to Guardrails
- Observe Azure Resource Activity
- Enable Your First Guardrails Policy Pack
- Review Subscription-Wide Governance
- Create a Static Exception to a Guardrails Azure Policy
- Create a Calculated Exception to a Guardrails Azure Policy
- Send an Alert to Email
- Apply a Quick Action
- Enable Automatic Enforcement