Subscription is just spinning about ipam HOT 10 CLOSED

Hi again @letmetechyou . There are several permissions that are configured during the deployment process.

Essentially, the script will create 2x App Registrations (1 for the UI, and 1 for the API Engine), then assigned a set of API permissions to said App Registrations, and finally grants Admin consent. In order to successfully complete each of these steps, you need several Azure permissions, which are described in the Prerequisites section found here: https://azure.github.io/ipam/#/deployment/README?id=prerequisites

So, couple of questions...

1. Does the account which you deployed the IPAM solution from have the documented permissions?
2. Did you see any errors during the deployment process?

I'm also happy to setup a 1:1 session with you to work through troubleshooting this. Obviously if something happened incorrectly during our deployment automation, I want to ensure it's resolved for you as well as any other folks who will deploy IPAM in the future.

Thanks for the feedback & partnership!

from ipam.

Now that you say that i did get an error on a permission trying to get created during the initial install but it still went through so I didnt catch what permission it was let me run through it again real quick and see if i can grab a screenshot of it.

from ipam.

Sounds good @letmetechyou. Let me know what the error was and I'll add some logic into the deployment script to better handle that in the future with proper error messages.

Much appreciated!

from ipam.

Here is the message. I think the error message may just not have been clear but looking at the forbidden probably is what caused it. I used an account that had account owner and it worked.

from ipam.

I see, thanks for the screenshot @letmetechyou. It appears the portion of the automation that is failing is where it is attempting to assign "Reader" permissions for the Engine App Registration to the Root Management group.

Does your user have the ability to change RBAC for the Root Management Group (e.g. Global Administrator or Owner/User Access Admin at that scope)?

from ipam.

I ended up using the owner account. But the other account may not. I'm testing this as a POC for an enterprise to use this. Is there a least priv access that can be applied. The azure account doesnt stay with the app service does it? Is the account only used for installation of the initial deployment.

from ipam.

Hey @letmetechyou, the account that you use to run the deployment script is not used again post deployment. The only things that are used are the 2x App Registrations that we create for which we have reduced those privileges to the least possible they can be. The Engine uses "Reader" at the Root Management Group level to provide global visibility (at the tenant level) for all of the networking related items so Network Admins can accurately view all of the relationships that exist.

We talk more about these App Registrations in the IPAM Infrastructure section here:
https://azure.github.io/ipam/#/README?id=ipam-infrastructure

In a large enterprise, it's more likely a separate team would manage the creation of the App Registration and assignment of their permissions, and another team (perhaps like the one you are a part of) would deploy the infrastructure components into Azure. for that use case you can deploy IPAM in 2 parts:

1. App Registration Only Deployment: https://azure.github.io/ipam/#/deployment/README?id=app-registration-only-deployment
2. Infrastructure Only Deployment: https://azure.github.io/ipam/#/deployment/README?id=infrastructure-stack-only-deployment

In this case, the first deployment will create the App Registrations, apply permissions, etc. It will then spit out a parameters JSON file you can use in the second step for the infrastructure deployment.

I hope that makes sense and helps to clarify a few things. If not, please continue to reach out here, and we'll make sure you get all of the support you need.

Thanks again!

from ipam.

I know im kinding going down this same thread but now when im in the tool it doesnt seems to be discovering anything. I was able to add a space and block but doesnt seem to understand my subscription type either

from ipam.

Hey @letmetechyou, I see that you have selected your subscription. By selecting subscriptions in this view, it EXCLUDES them from IPAM (by default all subscriptions are included). That is likely why you're not seeing anything.

You may want to check out our how-to guide here for more details on getting everything setup and using IPAM:
https://azure.github.io/ipam/#/how-to/README

For the subscription type, that is likely a miss on my part setting up the proper SKU to identify a PAYGO subscription type. I'll get that updated shortly. Good catch.

If you're still stuck after that, let me know and we can setup a 1:1 for me to personally walk you through everything.

from ipam.

ok thanks ill comb through everything again as much as i can and if i have an issue ill try and setup a 1 on 1

from ipam.