Bug 1374319 - explicit required permissions for the Azure provider user
Summary: explicit required permissions for the Azure provider user
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.6.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: GA
: 5.7.0
Assignee: Red Hat CloudForms Documentation
QA Contact: Red Hat CloudForms Documentation
URL:
Whiteboard: doc
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-08 12:40 UTC by Colin Arnott
Modified: 2018-04-04 04:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-04 04:41:28 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description Colin Arnott 2016-09-08 12:40:55 UTC
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding-azure-providers

Section Number and Name:
3.2.1.8 Adding Azure Providers: credentials

Describe the issue: 
The Azure provider currently provides no information on the required role for the client id/client key credentials, my security standards prevent me from giving cart blanch access to my Azure environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my Azure environment.

Suggestions for improvement:
Add a section indicating required permissions for the Azure provider.

Additional information:

Comment 4 Jeff Teehan 2016-09-21 20:27:06 UTC
You need to add the Active Directory app as a "Contributor" to each resource group, or the entire subscription.  While other roles may work, I haven't tested them.  I know reader doesn't work, I suspect owner may.

USER   ROLE          ACCESS

CFME   Contributor   Inherited

Comment 5 Andrew Dahms 2016-10-31 00:58:05 UTC
Hi Daniel, Jeff,

Thank you for the information!

Moving back to the default assignee for now, and we will be in touch again as we work on this one.

Kind regards,

Andrew

Comment 7 Andrew Dahms 2018-04-04 04:41:28 UTC
Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.


Note You need to log in before you can comment on or make changes to this bug.