1.0 Introduction
This article describes the least-privilege permissions required by Fortanix Key Insight to use an Azure custom role through an Azure CLI script.
2.0 Configure Azure Access Using Custom Roles
Use the Azure Command-Line Interface (CLI) script to configure Azure access using a custom role that follows the principle of least privilege.
For a comprehensive list of permissions required for the Azure custom role, refer to Azure Connection Permissions.
The Azure script helps you to:
Create an Azure service principal.
Create a custom role with specific permissions.
Assign the custom role to the service principal within the scope of the subscription or management group.
NOTE
Run the script in a Bash-compatible shell (for example, Azure Cloud Shell or Linux/macOS terminal).
You must have the following permissions at the appropriate levels:
The Application Administrator or Cloud Application Administrator role at the Azure tenant level. They allow app registration and service principal creation in Microsoft Entra ID.
The Owner, User Access Administrator, or Role Based Access Control Administrator permissions at the Subscription or Management Group level to create and assign a custom role.
Perform the following steps to configure an Azure cloud using the Azure script with Subscription or Management Group scopes:
Download the following script (
.sh) file:Run the following command to make the script executable:
chmod +x fortanix_key_insight_azure_cloud_onboarding.shUse the various options to run the script at different scopes:
Subscription scope
./fortanix_key_insight_azure_cloud_onboarding.sh -s <subscription-id>Management Group scope
./fortanix_key_insight_azure_cloud_onboarding.sh -m <management-group-name-or-id>NOTE
You can specify either a subscription ID or a management group ID as the scope, but not both.
Use the following command to get all the available options:
./fortanix_key_insight_azure_cloud_onboarding.sh -h
After the script runs successfully, it outputs the following values:
Subscription ID or Management Group ID
Client ID
Client secret
Tenant ID
You must use these values to set up the Azure cloud connection in Fortanix Key Insight. Refer to Getting Started With Cloud Connection for guidance on establishing a connection to Azure within Fortanix Key Insight.
After you complete the configuration and scan your Azure resources, you can view the discovery and assessment results in the Fortanix Key Insight dashboard. The dashboard provides a detailed overview of your scanned key vaults and the keys in those vaults, along with the use of these keys in services. You will see an assessment of the keys with a risk score, highlighting any violations, expired keys, disabled key rotation, vulnerable keys, and instances where the same key is used across multiple resources.
For more information on the Azure dashboard, refer to Azure Connection - User Interface Components.
3.0 Additional References
For Fortanix Key Insight and Azure terminologies, refer to All Connections Concepts and Azure Connection Concepts.
To onboard an Azure cloud in Fortanix Key Insight using Azure built-in roles, refer to Azure Connection Scanning Configuration Using Built-In Roles.