Azure Infrastructure Setup
Have an existing Azure configuration?
If you have an existing Azure app in Opal that has not been configured to manage infrastructure resources, you can enable infrastructure management under the app's Setup tab in Opal.
To manage access to Azure Subscriptions and Resource Groups, you must grant additional permissions to the Opal application.
Requirements
- Admin access to the Azure root management group.
Step 1: Create Opal Service Role
- In the Azure Portal, navigate to Tenant Root Management Group -> Access Control (IAM) -> Add -> Add custom role.
- Navigate to JSON -> Edit. Replace the default definition with the one in the following snippet, substituting in your management group ID.
{
"properties": {
"roleName": "Opal Service Role",
"description": "Contains the necessary permissions for Opal to provision access",
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/<YOUR_MANAGEMENT_GROUP_ID>"
"/subscriptions/<SUBSCRIPTION_IDS_WITH_STORAGE_ACCOUNTS>"
],
"permissions": [
{
"actions": [
"Microsoft.Management/getEntities/action",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Authorization/permissions/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ClassicCompute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.SQL/servers/read",
"Microsoft.Sql/managedInstances/databases/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
]
}
}
Note: If your Azure tenant includes Storage Accounts, you will also need to list the parent subscription IDs under assignableScopes
. This is due to an Azure API limitation that does not allow assigning dataActions
such as reading Storage Account Blobs to Management Groups.
- Click Next, and then Create to create the role.
Step 2: Create Role Assignment
- In the Azure portal, navigate to Tenant Root Management Group -> Access control (IAM) -> Add role assignment.
- Under Role, select the Opal Service Role (found under "Privileged administrator roles").
- Select the Members tab. Add the Opal application as a member.
- Select the Conditions tab -> Select roles and principals.
- Select Open advanced condition editor. Toggle Editor type from "Visual" to "Code".
- Paste in the following code, substituting in your Opal app's Object ID, and save. This condition prevents the Opal application from having the ability to escalate its own access by assigning roles to itself.
( ( !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) ) OR ( @Request[Microsoft.Authorization/roleAssignments:PrincipalId] GuidNotEquals <OPAL_APP_OBJECT_ID> ) )
- Navigate to Review + assign. Complete assigning the role by clicking Review + assign.
Step 3: Allowing sessions for SQL Databases [Optional]
- Follow instructions here if you want to enable Opal to manage SQL Database logins.
Once this is completed, you should be all set!
Updated 2 days ago