Cloud environment permissions for integration between Aqua and Azure Serverless apps (App Services)


In order to be able to scan Azure functions, a "contributor" role needs to be assigned to the resource group that holds the functions.


First permission needed:



  • Click New Registration (or use an existing one) > Register.


  • Select "Certificates & secrets" > "Client secrets" > New client secret.


  • Go to the resource group that holds the functions > Access control (IAM).


  • Click "Add" > Add role assignment.


  • Assign a contributor role to the function.

Second permission needed:


  • On the Azure dashboard, access the "Subscriptions" screen, then select your Azure subscription.




  • Then access the Access control (IAM)





  • Then click in "Add" and select "Add role assignment".




  • In the field "Role" Select the option "Contributor", for the field "Assign access to" select the option "User, group, or service principal", and finally for the field "Select", you need to find and select the app that you created previously using the tutorial above.





Now you are able to integrate your Azure Serverless environment with Aqua!




How to integrate Aqua with an Azure Server Less   environment:



  • In the Aqua GUI and access, the menu Administration > Serverless Application and hit the button Add Serverless Application.




  • In the Compute Provider field select the Azure Functions option and fill in all the information (credentials, secrets, and tokens) necessary for Aqua to access Azure resources.





HOW TO GET AZURE API CREDENTIALS - CLIENT ID, CLIENT SECRET, TENANT ID, AND SUBSCRIPTION ID?


   Prerequisite step

Reference topics

1

Register at Azure.com as a first step,  then log on to your Azure

portal account to get the information you need to populate your subscription page.

For instructions, see Portal.azure.com

2

Get your Azure subscription ID.

The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.

  • Log on to the Azure portal.
  • In the left navigation panel, click Subscriptions. The list of your subscriptions is displayed along with the subscription ID.
3

Ensure that you have the required permissions to create an application

in Azure Active Directory (AAD).

For instructions, see Check Azure Active Directory permissions in the Microsoft documentation.

4

Create an AAD application. In a text editor (such as Notepad), copy the name of

the application and label it as Application Name.

For instructions, see Create an Azure Active Directory application in the Microsoft documentation.

5

Get the Application ID and generate an authentication key for this application.

In a text editor (such as Notepad), copy the name of the Application ID and label it as Client ID. Copy the authentication key string to the text editor, and label the string as Client Secret Key.

For instructions, see Get application ID and authentication key in the Microsoft documentation.

6

Get the Tenant ID, which is the ID of the AAD directory in which you created the application.

In a text editor (such as Notepad), copy the ID and label it as Tenant ID.

 About Tenants

A Tenant is representative of an organization within Azure Active Directory.

It is a dedicated instance of the Azure AD service. An AAD tenant is required for defining an application and for assigning permissions so the application can make

use of other Azure services' REST APIs.

For instructions, see Get tenant ID in the Microsoft documentation.

7Assign Contributor role to the application.
  • In the left pane of the Azure portal menu, select Subscriptions.
  • Select your subscription.
  • Select the Access Control (IAM) tab.
  • Add your application.
  • Assign the Contributor role to the application.

For details, see Assign application to a role in the Microsoft documentation.


Keywords:


Azure Serverless apps

Serverless


Error:


2021-09-21 13:29:33.828WARNfailed looking up for functions: failed searching functions: failed getting publishDataResult: web.AppsClient#ListPublishingProfileXMLWithSecrets: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'afebffc1-1250-4658-8430-fc74c3a6ca71' with object id 'afebffc1-1250-4658-8430-fc74c3a6ca71' does not have authorization to perform action 'Microsoft.Web/sites/publishxml/action' over scope '/subscriptions/935ecdde-6ac7-416d-9b15-7a603f84b93f/resourceGroups/Automation/providers/Microsoft.Web/sites/acr-slack-webhook' or the scope is invalid. If access was recently granted, please refresh your credentials."


2021-09-21 13:29:33.828ERRORGET /api/v2/serverless/projects/:project/search_functions [500 Internal Server Error]: code=500, message=failed looking up for functions: failed searching functions: failed getting publishDataResult: web.AppsClient#ListPublishingProfileXMLWithSecrets: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'afebffc1-1250-4658-8430-fc74c3a6ca71' with object id 'afebffc1-1250-4658-8430-fc74c3a6ca71' does not have authorization to perform action 'Microsoft.Web/sites/publishxml/action' over scope '/subscriptions/935ecdde-6ac7-416d-9b15-7a603f84b93f/resourceGroups/Automation/providers/Microsoft.Web/sites/acr-slack-webhook' or the scope is invalid. If access was recently granted, please refresh your credentials."