microsoft
[Hubs] Use of pre created Entra ID SPN to deploy the resources
As a customer FinOps toolkit user I need the toolkit deployment pipeline to be able to use an already created SPN provided by Entra ID team as my user does not have permission to create app in Entra ID.
Hi @flanakin, it is to install the finops toolkit, but I guess it will be also valid request to setup the exports
Thanks for the details. I added it to the backlog. I'll talk to @MSBrett to see what's needed for this. In the meantime, please create exports manually.
Hi @flanakin, it is to install the finops toolkit, but I guess it will be also valid request to setup the exports
To confirm - you're having issues installing FTK because you don't have permissions to create the managed identities we use during deployment for managing the triggers, etc. and need to supply a pre-created SPN instead?
Hello
Yes, CX contact has issue to install FTK, he does not have permission to create managed identities and security team would like him to use pre created SPN with limited permissions instead. the same SPN should also be used to manage the exports
Thanks for your support
From: Brett Wilson @.> Sent: Wednesday, August 28, 2024 5:30 PM To: microsoft/finops-toolkit @.> Cc: Sebastien Penet @.>; Mention @.> Subject: Re: [microsoft/finops-toolkit] [Hubs] Use of pre created Entra ID SPN to deploy the resources (Issue #879)
Hi @flanakinhttps://github.com/flanakin, it is to install the finops toolkit, but I guess it will be also valid request to setup the exports
To confirm - you're having issues installing FTK because you don't have permissions to create the managed identities we use during deployment for managing the triggers, etc. and need to supply a pre-created SPN instead?
— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/finops-toolkit/issues/879#issuecomment-2315679946, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANI3C7NSXGGU44B4VVYYPITZTXUKBAVCNFSM6AAAAABMERN3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJVGY3TSOJUGY. You are receiving this because you were mentioned.Message ID: @.***>
The customer I am assisting with setting up the FinOps Toolkit, is also interested in this feature. Using a pre-created Managed Identity in the target environment is especially important in regulated/government-based environments.
@sepenet Would you mind giving this a 👍? We're tracking the issues with the most votes for prioritization and I'd like to make sure this gets everyone's votes 🙂
Quick follow-up question that came up recently.
Since the Managed Identity for the Data Factory is used to interact with Azure Cost Management, exports, etc., could we add/attach a User assigned managed identity to the Data Factory?
The scenario we're encountering is if we have to re-deploy the FTK, then we have to go back and ask the team that manages Entra ID to re-grant the new Managed Identity the proper EA Department Reader permissions.
Since it is not yet support to use an existing Service Principal, we're hoping that if the Data Factory's System Assigned Managed Identity does not have the correct permissions at the assigned scope, that it would "fail back" to use the UAMI.
This would allow us to still have a single Service Principal with the correct permissions, and not have to re-grant permissions anytime the FTK might have to be re-deployed.
@AErmie I don't think it will fall back automatically. I think it'd have to be configured to use one or another. I'm not familiar with this but I'm assuming it's doable.
@MSBrett, you know more about this space. Any thoughts?
Thanks @flanakin. When I check the Role Assignment for the system assigned managed identity that's configured on the Data Factory, it shows the following:
So, the portal doesn't show the Scope assignment (presumably because in our case it's at the Enterprise Agreement level, and not at the Subscription level).
So in theory (untested), we could turn off the System Assigned managed identity, and add a User Assigned managed identity, and it "should just work" (provided that we grant it the same/correct permissions against the target Storage Account).
Q: Has using a User Assigned Managed Identity (UAMI) been attempted/tested by the FinOps Toolkit team?
It's possible to use a user assigned MI or a SPN for the installation as long as the identity has the required permissions. No difference to a normal user installing the product.
Post install it's possible to swap out the identity used in the pipelines for either a user assigned MI or a SPN, but upgrades will undo that.
If the identity doing the deployment doesn't have permissions to create the required MI's we use for the install or perform the necessary role assignments it will fail.
You can manually create the exports rather than relying on the managed exports feature - that way the identity doesn't need permissions against the EA - same as things work under a MCA today.
We don't plan to support BYO identity as we need to do a bunch of role assignments to resources that get created during the installation.
For environments with policies in place to prevent creating identities/private DNS zones/etc in prod we recommend installing to a staging OU where the policies are less restrictive, moving the RG to prod when configuration is complete, allowing policy to audit the RG and then applying exceptions as appropriate.