Comments (10)
Hi again @letmetechyou . There are several permissions that are configured during the deployment process.
Essentially, the script will create 2x App Registrations (1 for the UI, and 1 for the API Engine), then assigned a set of API permissions to said App Registrations, and finally grants Admin consent. In order to successfully complete each of these steps, you need several Azure permissions, which are described in the Prerequisites section found here: https://azure.github.io/ipam/#/deployment/README?id=prerequisites
So, couple of questions...
- Does the account which you deployed the IPAM solution from have the documented permissions?
- Did you see any errors during the deployment process?
I'm also happy to setup a 1:1 session with you to work through troubleshooting this. Obviously if something happened incorrectly during our deployment automation, I want to ensure it's resolved for you as well as any other folks who will deploy IPAM in the future.
Thanks for the feedback & partnership!
from ipam.
Now that you say that i did get an error on a permission trying to get created during the initial install but it still went through so I didnt catch what permission it was let me run through it again real quick and see if i can grab a screenshot of it.
from ipam.
Sounds good @letmetechyou. Let me know what the error was and I'll add some logic into the deployment script to better handle that in the future with proper error messages.
Much appreciated!
from ipam.
Here is the message. I think the error message may just not have been clear but looking at the forbidden probably is what caused it. I used an account that had account owner and it worked.
from ipam.
I see, thanks for the screenshot @letmetechyou. It appears the portion of the automation that is failing is where it is attempting to assign "Reader" permissions for the Engine App Registration to the Root Management group.
Does your user have the ability to change RBAC for the Root Management Group (e.g. Global Administrator or Owner/User Access Admin at that scope)?
from ipam.
I ended up using the owner account. But the other account may not. I'm testing this as a POC for an enterprise to use this. Is there a least priv access that can be applied. The azure account doesnt stay with the app service does it? Is the account only used for installation of the initial deployment.
from ipam.
Hey @letmetechyou, the account that you use to run the deployment script is not used again post deployment. The only things that are used are the 2x App Registrations that we create for which we have reduced those privileges to the least possible they can be. The Engine uses "Reader" at the Root Management Group level to provide global visibility (at the tenant level) for all of the networking related items so Network Admins can accurately view all of the relationships that exist.
We talk more about these App Registrations in the IPAM Infrastructure section here:
https://azure.github.io/ipam/#/README?id=ipam-infrastructure
In a large enterprise, it's more likely a separate team would manage the creation of the App Registration and assignment of their permissions, and another team (perhaps like the one you are a part of) would deploy the infrastructure components into Azure. for that use case you can deploy IPAM in 2 parts:
- App Registration Only Deployment: https://azure.github.io/ipam/#/deployment/README?id=app-registration-only-deployment
- Infrastructure Only Deployment: https://azure.github.io/ipam/#/deployment/README?id=infrastructure-stack-only-deployment
In this case, the first deployment will create the App Registrations, apply permissions, etc. It will then spit out a parameters JSON file you can use in the second step for the infrastructure deployment.
I hope that makes sense and helps to clarify a few things. If not, please continue to reach out here, and we'll make sure you get all of the support you need.
Thanks again!
from ipam.
I know im kinding going down this same thread but now when im in the tool it doesnt seems to be discovering anything. I was able to add a space and block but doesnt seem to understand my subscription type either
from ipam.
Hey @letmetechyou, I see that you have selected your subscription. By selecting subscriptions in this view, it EXCLUDES them from IPAM (by default all subscriptions are included). That is likely why you're not seeing anything.
You may want to check out our how-to guide here for more details on getting everything setup and using IPAM:
https://azure.github.io/ipam/#/how-to/README
For the subscription type, that is likely a miss on my part setting up the proper SKU to identify a PAYGO subscription type. I'll get that updated shortly. Good catch.
If you're still stuck after that, let me know and we can setup a 1:1 for me to personally walk you through everything.
from ipam.
ok thanks ill comb through everything again as much as i can and if i have an issue ill try and setup a 1 on 1
from ipam.
Related Issues (20)
- Restrict access to a group within a Azure AD tenant. HOT 6
- Code version release management HOT 2
- Two part deployment - Deploying part two from parameters file with privateacr set to true not working HOT 6
- Alert when low in IP addresses and make block field optional HOT 4
- Bulk import of space and blocks HOT 2
- Access Control for the IP Reservation Mamangement HOT 2
- Use Azure storage tables as backend instead of CosmosDB HOT 2
- Deployment script produces poor logs when failing on Function only deployment HOT 4
- Error in peering analysis, white screen HOT 2
- Sudden Access Denied error shown to all admins and applications trying to access IPAM API HOT 4
- Change the tag recognition to allow more than 1 tag to be used on a Vnet - allowing address ranges from two blocks to be reserved and consumed by the deployed vnet HOT 10
- Subscription page is returned blank HOT 5
- Error accessing the analysis-visualize screen HOT 2
- Allow to add additional tags in reservation HOT 6
- Document the terraform provider available to automate reservations. HOT 2
- Subscription Name in visualize and peering tooltips HOT 3
- Insufficient privileges New-MgOauth2PermissionGrant_CreateExpanded error HOT 8
- Terraform example doesn't work as expected HOT 2
- method to get an access token with only curl and jq (without az cli) for remote pipelines HOT 10
- IP reservation from Swagger API UI errors with "Authorization header missing" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ipam.