In some cases, for PyraCloud to function correctly, the customer must manually configure their Azure subscription so that PyraCloud can access the resources and tags in it. Follow these steps to grant access to PyraCloud for a single Azure subscription.
Note: If you need to grant access to PyraCloud for multiple Azure subscriptions, it may be more suitable to use Azure Management Groups. Consult this KB article for more information: Grant Access to PyraCloud with Azure Management Groups
What are the Security Implications?
As you onboard your tenant in PyraCloud (see the Pre-requisites section below), the process creates an Enterprise Application in your tenant called “PyraCloud (Azure)”.
The process below describes assigning the following roles to the “PyraCloud (Azure)” Enterprise Application:
- Tag Contributor (see Microsoft Docs)
- Reader (see Microsoft Docs)
These roles allow PyraCloud to read a list of all the resources in your Azure subscription, and read and write tags on those resources.
You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.
Before following the instructions below, your tenant must first be onboarded in PyraCloud. To do this, follow the steps in the following KB article: Activate your EA Cloud Account
Grant Access to an Individual Subscriptions
To assign the above roles to PyraCloud in a single Azure subscription, follow these steps.
- In the Azure Portal, navigate to Subscriptions:
- Click the subscription you wish to integrate with PyraCloud
- Click “Access control (IAM)”
- Click “Role assignments”
- Click “Add” => “Add role assignment”
- Select “Reader” from the “Role” drop-down, then search for “Pyra” in the “Select” textbox. Click the “PyraCloud (Azure)” application and click “Save”.
- Repeat step 6 but select the “Tag Contributor” role instead of the “Reader” role.
- The final result looks similar to this: