516
Getting Azure Cloud Scan Credentials
The instructions below outline how to create an Azure service principal to use for scanning Azure cloud configuration with Trava. You’ll need to have an Azure account with access to at least one subscription.
-
Install the Azure Command Line Interface (CLI):
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
-
Login to your Azure account via the CLI:
> az login
You'll be directed to a browser to login with your Azure credentials.
-
Create a Service Principal for Azure SDK via the CLI:
> az ad sp create-for-rbac -n trava-cloud-scan --sdk-auth > mycredentials.json
-
This will create a file called mycredentials.json in the current directory
-
Log into portal.azure.com with an account that has Global Administrator role
-
Go to Azure Active Directory > App registrations
-
Under All applications, find and click on trava-cloud-scan application
-
Under API permissions, click on Add a permission
-
Click on Microsoft Graph > Application permissions, then find and select the following permissions:
-
Under Directory, select Directory.Read.All
-
Under Policy, select Policy.Read.All
-
Click on Add permissions. You will see something similar to the screenshot below.
-
Click on Grant admin consent for…, then click Yes
-
Go back to portal.azure.com and go to Subscriptions
-
Click on the subscription you want to include in the scan
-
Click on Access control (IAM)
-
Under Role assignments, click Add > Add role assignment
-
In the Role tab, find and click on Contributor role
-
In the Members tab, click Select members, then find and select trava-cloud-scan application that you created in step 3. Click Select to finish adding.
-
Click Review + assign, then click Review + assign again to confirm
-
Repeat steps 13 through 18 for any other subscriptions that you want to include in the scan
-
Provide the file (mycredentials.json) to Trava as part of the Cloud Scan setup
