Apono Connector for Azure
This guide is intended for admins who would like to install a Connector on an Azure environment and connect to automate permissions management in Azure using Apono
Overview
To integrate with Azure start managing JIT access to Azure cloud resources, you must first install a connector in your Azure environment.
This is can be done by one of the following methods:
- Using Terraform
- Using Azure CLI
What's a connector? What makes it so secure?
The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.
Read more about the recommended Azure Installation Architecture.
How to install the Connector
Using Terraform
Prerequisites
- Required CLI:
terraform
- Administrator permission on the subscription you want to connect
- Administrator permissions on AzureAD
- Azure Container Instances service
Step 1 - Create a Connector
- From the Integration Catalog, select Azure
- Pick Subscription and then +Add new connector
- Pick Terraform (Container Instance)
- Copy the Token
Important: before you start, copy the connector Terraform params and export them in the terminal.
Step 2 - Install Apono Connector Module
module "connector" {
source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
aponoToken = $APONO_TOKEN
resourceGroup = $AZURE_RESOURCE_GROUP
ipAddressType = // "Private" or "None"
subnetIds = [$SUBNET_ID]
}
Run terraform init
to validate it works
Validate the Connector is Connected
You can validate that the Connector is installed in the Connector status page.
Results
In the Apono app, you will see the connector was found and a green checkmark indication.
You can now integrate an Azure Subscription
Using Azure CLI
Prerequisites
- Required CLI: azure-cli
- Administrator permission on the subscription you want to connect
- Administrator permissions on AzureAD
Step 1 - Create a Connector
- From the Integration Catalog, select Azure
- Pick Subscription and then +Add new connector
- Pick CLI (Container Instance)
- Copy the Token
Step 2 - Install Apono Connector Module
- Fill and enter the following environment variables:
export APONO_CONNECTOR_ID=apono-connector
export APONO_TOKEN=
export SUBSCRIPTION_ID=
export RESOURCE_GROUP_NAME=
export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)
- Run the following command to deploy the connector on the Azure Container Instance service:
export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:<<connectorVersion>> --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)
- Add the "User Access Administrator" role to the connector in the subscription scope:
az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
- Add the "Directory Readers" role to the connector for Azure AD:
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'
Validate the Connector is Connected
You can validate that the Connector is installed in the Connector status page.
Results
In the Apono app, you will see the connector was found and a green checkmark indication.
You can now integrate an Azure Subscription
Updated about 1 month ago