Granular Roles and Permission for Azure
Viewed 503 times
Summary
When performing any account related operation, such as creating Storage Account, or compute operation, such as creating a Virtual Machine, the request needs to be authenticated by a Service Principal object in the subscription’s Azure Active Directory.
The Service Principal object can be of 3 types:
User in the Active Directory.
Registered application in the Active Directory.
A Managed Identity in the Active Directory.
There are 2 types of Managed Identities:
System-Assigned Managed Identity
A System assigned managed identity is bound to a specific Azure resource, for example a Virtual Machine, and has the same life cycle.
User-Assigned Managed Identity
A User-Assigned Managed Identity can be applied to multiple Azure resources, within a Subscription, and has an independent life cycle.
In 8.0, Zerto choose to use a User-Assigned Managed Identity that is applied to the ZCA virtual machine.
When using a Managed Identity for authentication, Azure checks two things for every operation.
The resource that created the request (the ZCA) is given an identity.
The roles set for identity are enough for the operation.
If one of the two is not set, the operation will fail.
Before installing Zerto, the Managed Identity must be created and configured with the required permissions, and then applied to the ZCA Virtual Machine.
Steps
When installing ZCA, Zerto requires applying the following roles to the ZCA’s identity:
- Owner or Contributor.
- Storage Blob Data Contributor.
- Storage Queue Data Contributor.
If you prefer to configure the custom role using Azure Powershell and a pre-configured JSON, you can follow this guide:
https://www.zerto.com/myzerto/knowledge-base/installation-of-zerto-virtual-replication-zvr-in-azure-in-environments-requiring-reduced-permissions/
To create and assign the custom role via the Azure Portal, you can follow below:
Navigate to All Services and click Subscriptions.
Select the Subscription to which the ZCA is associated.
Navigate to Access control (IAM) and click Roles
Click on Add and select Add custom role
The customer defines a Custom Role using the permissions listed in Zerto - Prerequisites & Requirements for Microsoft Azure Environments, in the section Minimum Required Azure Permissions
Paste the permissions from the JSON format located here into the permissions section in the JSON tab
Or add them using the Permissions tab.
The custom role is created in Azure Active Directory (AAD). If ZCAs exist on multiple Subscriptions under the same Tenant, the custom role only needs to be created once and then assigned to all the needed subscriptions under assignableScopes in the JSON tab or adding them in Assignable scopes tab.
Attach the created role to the identity
Just like in previous versions, the role must be assigned to the identity set on the ZCA VM,. The only difference is that instead of applying the 3 built-in roles
Owner or Contributor.
Storage Blob Data Contributor.
Storage Queue Data Contributor.
Only the custom role must be added.
To attach the custom role:
Navigate to All Services and click Subscriptions.
Select the Subscription to which the ZCA is associated.
Navigate to Access control (IAM) and click Add on Add a Role assignment
In the Add role assignment window, configure the following:
Role: <the custom role name>
Assign access to: User Assigned Managed Identity
Subscription: The subscription to which the ZCA is associated.
Select: Select the User-Assigned Managed Identity.
And click Save.
The user can continue with the installation.