While editing a Microsoft Azure Discovery or Visibility, Azure credentials settings contain Azure account credentials that Cloud Discovery & Visibility (CDV) uses to access your Azure infrastructure. You will see these settings when updating the credentials for Discovery or Visibility, or when creating a new Discovery or Visibility.
In order to configure Cloud Discovery & Visibility for Azure, you must have the following:
Azure Service Principal credentials to access your Azure infrastructure.
At least one Subscription and Resource Group created on Azure.
You can assign Azure credentials to CDV in two ways:
If you're running Cloud Discovery & Visibility (CDV) on an Azure Virtual Machine (VM) with a configured Managed Identity, you can tell CDV to automatically acquire authorization credentials from the Managed Identity for its VM environment. You can assign the built-in Reader role (Discovery) or the Contributor role (Discovery and Visibility) to the VM's Managed Identity, or use a custom role.
If you're not running on a VM, you must set up Azure credentials manually, specifying a Tenant and Client ID. (You can also simply choose to manually set up Azure credentials.) You will also need the secret value for the Service Principal account that CDV will use.
By default, CDV performs discovery on all resource groups within all subscriptions. To restrict the scope of discovery, you can instead specify a specific subscription, as well as a specific resource group within that subscription.
Setting up a Managed Identity on a VM for Azure credentials
If you want CDV to use a Managed Identity from the Azure VM on which it is installed, you'll need to set up the Managed Identity that CDV should use (if one doesn't already exist).
To set up a Managed Identity on a VM that CDV can use:
In Microsoft Azure settings (for your Azure VM), go to the Subscriptions page and click your subscription.
In the Subscription detail page, click Access Control (IAM).
Click the +Add button to add a new role assignment.
Tip: If you want to use a custom role, you can create one now. The custom role must have all necessary permissions to access all of CDV's features. For more details, see Azure environments.Click Add Role Assignment, then choose the role you want to assign.
This can be the built-in Reader role (Discovery), the built-in Contributor role (Discovery and Visibility), or a custom role.
In Assign access to, select Managed Identity.
In Members, click Select members, then select the VM.
Click Review and assign.
Azure credentials settings
| Field/Option | Description |
|---|---|
| Use Virtual Machine credentials |
(This checkbox is available only if CDV is running on a VM with a Managed Identity.) If ticked, specifies that CDV should automatically acquire authorization credentials from the Managed Identity for its VM environment. Note: You will no longer be able to directly configure the Service
Principal Azure Parameters for the Service Principal account.
Any changes to that account must be done through Azure
itself.
Tip:
If you see the message "Cannot fetch subscriptions: ManagedIdentityCredential authentication unavailable", then the VM's Managed Identity status is turned off. You can turn it back on again in the VM environment's system settings. To do so, in Microsoft Azure settings for the VM, click Identity. Then, in the System assigned tab, toggle Status to On. If cleared, you must set up Azure credentials manually. |
| Directory (tenant) ID |
(Available only if User Virtual Machine credentials is cleared or does not appear.) The tenant ID of the Service Principal account with which you authenticate with Azure. |
| Application (client) ID |
(Available only if User Virtual Machine credentials is cleared or does not appear.) The client ID of the Service Principal account with which CDV will authenticate with Azure. |
| Client secret value |
(Available only if User Virtual Machine credentials is cleared or does not appear.) The secret value of the Service Principal account with which CDV will authenticate with Azure. |
| Azure subscriptions |
The subscription ID in Azure on which you would like to perform the discovery. To perform discovery on all subscriptions, select All subscriptions (the default). |
| Azure resource groups |
(Available only if you select a specific subscription in Azure subscriptions.) The resource group within the selected subscription in Azure on
which you would like to perform the discovery. To perform
discovery on all resource groups within that subscription,
select Note: This field appears only if you select a specific Azure
subscription. If you are performing discovery on all
subscriptions, CDV automatically runs discovery on all
resource groups in those subscriptions.
Attention: Depending on the configuration and resources
available in your Azure infrastructure, information may be
overwritten, resulting in data loss. For more details on
different discovery scenarios based on your defined Subscription
and Resource Groups, see Azure Subscription and Resource Groups discovery scenarios.
|