What permissions I need to set for the following scenario:
I want to use Azure service bus in order to be able to connect a windows service agent running on premise and a worker role running in azure. The agent itself is a software that will run on different customers premises and communicate with my worker role via service bus. The worker role once per day will send a message to specific (maybe all, maybe few only) customers agent on premise, asking for some data. The agent will return the data to the worker role via service bus. In order to send custom message to specific customer agent I will use topics and subscriptions where every customer agent will lessen to it's specific subscription.
Now in order to build that agent and access service bus I have to make use of the namesapece, issuer name, issuer key which by default it's owner. Well owner has full control everywhere on that service bus therefore I don't want to give the owner credentials and secret key to each customer agent service. That means I have to build custom identity for each customer or a common one for all.
My questions: what do you recommend:
one common service identity for all agents or generate one identity for each agent service?
what is the minimum access I should give to them? I guess Listen and Send right?
We use the Service Bus Relay to expose internal services to third parties. We secure the services using SAS and create a new Shared Access Policy with the appropriate permissions (typically Send, Listen) for each client. On the "Configure" tab in the portal, add a "new policy name" then "save". You can then retrieve the Shared Access Key in the bottom section of the portal.
We found this method easier than generating IDs under ACS.
Related
I am hoping to use a windows service installed on client machines to talk to an azure service bus. Please note that the service is not installed on the cloud it is on premises.
During my testing I can
Add items to the queue using the default identity (taking my VS settings)
Add items to the queue using SAS - i want a bit more security, using and endpoint connection string
Add items to a queue using client, tenant and secret using ClientSecretCredentials
but I cannot find anywhere if I can use a certificate to authenticate a service principal.
It a certificate a good way to go? Are there any better alternatives?
I have created a release pipeline for an azure function that I developed. But to publish the artifact to the azure resource, is there a way I can deploy it through PAT (like how we publish VSS extensions to the marketplace). Because the subscription belongs to another person but I want to be able to deploy. If not PAT is there an alternate way to deploy when I don't have the subscription? Thanks
Don't know if it makes sense because I am new to this :)
You can use Service Connection to Azure Resource Manager with Service Principal in "Manual mode".
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that will be
available over the connection. Use this approach when you need to
connect to an Azure account using different credentials from those you
are currently logged on with in Azure Pipelines or TFS. This is also a
useful way to maximize security and limit access.
First ask an owner of the subscription to create a Service Principal (app registration) with access to subscription, then it will be just a matter of creating service connection in DevOps (project settings -> pipelines -> service connections) with proper service principal id, key, subscription id, name etc.
You can find really good tutorial for that here
I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I am currently in the process of setting up Sentinel POC, within Sentinel you have playbooks which is basically Logic Apps, it is same as the playbooks in security center.
I need to know what permissions i need on target subscriptions in order to automate remediation of alerts, for example isolate a VM, Stop a VM, etc.
Our Sentinel will have its own subscription in a tenant where there are 100's of subscriptions.
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
As for the exact permissions for this service principal / managed identity, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I need to give access to Azure IoT hub to an external company. How do I do that?
I cant figure out how to add them in Azure active directory, while also trying to restrict their access only to the IOT hub.
If your intention is to grant others access to the Azure IoT hub and send messages, a simply IoT Hub device client shall be good enough.
I don't see the point of creating some user account in Azure AD.
You can create an new device client either in Azure Portal or with Device Explorer, either way, you need to share the "connection string" of the device with the external developers, by which they can connect to Azure IoT Hub to send/receive messages using azure-iot-sdk.
By the way, azure-iot-sdk has multiple platform(windows/linux/mbed, etc...), and multiple language(C#,java,C/C++,python etc...) support. So even with hardware developer, he or she can set things up pretty quickly.
That's how I share my Azure IoT Hub with others and hope it's helpful to you.
You can add an external user (a user from another Azure AD tenant) to your directory following the instructions documented here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/#add-external-users
Once you've added the external user to the directory, you can choose to grant them access to resources in your Azure subscription (they'll only have access to what you choose to grant them access to) just like you would any other resource.
In the following image, Peter Smith, from Fabrikam, Inc. (peter.smith#fabrikam.com) has been invited as an external user into Contoso Corp's tenant (contoso.com), and can be assigned the "Contributor" role for an IoT Hub:
The user, then, simply needs to sign in to the Azure portal (https://portal.azure.com), and switch to your company's Azure AD tenant. In the following image, Peter Smith, who is homed in the fabrikam.com tenant, can switch contexts to the Contoso Corp tenant because he is an external user there:
One the user has switched tenants, he'll be able to see any resources he's been granted access to in that tenant.