Azure Cloud
Last modified on November 9, 2024
This configuration guide explains how to add Azure as a cloud resource in StrongDM. Configuration involves creating the Azure cloud resource, enabling it to support the proxy, and adding the cloud in StrongDM. After setup is complete, you will be able to manage access to your Azure cloud environment in the command line via StrongDM.
Limitations
- There is no SDK, Terraform, Ansible, or other such support for Azure.
- The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.
Azure Cloud Properties
Azure resources support the Azure CLI (az).
In StrongDM, there are two types of Azure cloud resources: Azure, which is configured to accept a password; and AzureCertificate, which is configured to accept a certificate file.
Both Azure and AzureCertificate cloud types always bind to port 65113.
Prerequisites
- In StrongDM, you must have the Admin permission level.
- You must have administrator access to your Azure cloud environment and be familiar with the Azure CLI (
az). - Your Azure Active Directory account must have permission to create a service principal.
- You must have the Azure CLI downloaded and installed.
Steps
Generate credentials
- Log in to Azure (
az login). - In the Azure CLI, create an Azure service principal with the
az ad sp create-for-rbaccommand. - Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided.
Create a service principal with a password
Use the following command, being sure to replace the placeholders with the actual values:
az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --scopes $SCOPESFor example, your command may look like this:
az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9bFrom the output, copy the
appId,tenant, andpasswordvalues. You need them later when setting up the Azure cloud type in StrongDM. Note that you can reset thepasswordkey if you forget it, but you cannot retrieve it later.Your example output may look similar to this:
{ "appId": "myAppId", "displayName": "myDisplayName", "name": "http://myName", "password": "generatedPassword", "tenant": "myTenantId" }
Create a service principal with a self-signed certificate
Use the following command with the
--create-certargument, being sure to replace the placeholders with the actual values:az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --create-certFor example, your command may look like this:
az ad sp create-for-rbac --name ExampleName --role Contributor --create-certFrom the output, copy the
appIdandtenant. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You need them later when setting up the AzureCertificate cloud type in StrongDM.Your example output may look similar to this:
{ "appId": "myAppId", "displayName": "myDisplayName", "name": "http://myName", "fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem", "password": null, "tenant": "myTenantId" }Example contents of the new PEM file:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD... -----END CERTIFICATE-----
CLI setup
To set up Azure cloud in the CLI, open your terminal. While logged in to StrongDM, use the following command:
sdm admin clouds add azure
You can view all help text and options by appending --help or -h to the same command:
NAME:
sdm admin clouds add azure - create Azure (Password) cloud
USAGE:
sdm admin clouds add azure [command options] <name>
OPTIONS:
--app-id value the application ID to authenticate with (required, secret)
--egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
--password value service principal password (required, secret)
--port-override value port profile override (default: -1)
--secret-store-id value secret store id
--tags value tags e.g. 'key=value,...'
--template, -t display a JSON template
--tenant-id value the tenant ID to authenticate to (required, secret)
Admin UI setup
If you would rather set up Azure cloud in the StrongDM Admin UI, go to Resources > Clouds and click the Add cloud button.
az or Azure CLI utility. If you intend to connect to a specific Azure-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.
Set the following properties:
| Property | Requirement | Description |
|---|---|---|
| Display Name | Required | Enter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >). |
| Cloud Type | Required | Select Azure if you are using password-based authentication; select AzureCertificate if you are using certificate-based authentication. |
| Secret Store | Optional | Credential store location; defaults to Strong Vault |
| App ID | Required | For the Azure cloud type, set the appID copied from the password-based service principal output. |
| Tenant | Required | Set the tenant copied from the service principal output. |
| Password | Required | For the Azure cloud type, set the password key copied from the password-based service principal output. |
| Certificate | Required | For the AzureCertificate cloud type, paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values. |
Click Create to save the configuration settings.
CLI usage
After you have generated credentials, created the resources in Azure, and added Azure as a cloud type in StrongDM, you should be able to call Azure in the CLI via sdm az or sdm azure.
Note that Azure can only use sdm az cli, which passes your az arguments in order following that command (for example, sdm az cli aks list).
You can use sdm azure --help to view example usage and command options:
NAME:
sdm azure - azure commands
USAGE:
sdm azure command [command options] [arguments...]
COMMANDS:
cli Execute an Azure CLI Command.
OPTIONS:
--help, -h show help
Logging
In the Cloud Logs section of the Admin UI, you can find all of the activities of the users who accessed the Azure resource. Note that StrongDM makes an attempt to drop credentials out of logs for display in the Admin UI but does not replace them with any values for Azure resources.
User Setup Steps and Usage
This section describes general installation and usage for the users in your organization. You can follow along by logging in with a User permission level.
For your organization’s users to access the Azure cloud resource via StrongDM, they need to install the following:
- The StrongDM Desktop application
- The latest version of the StrongDM CLI. If the CLI is already installed, you can run
sdm updatein the CLI to update it. Alternatively, if any updates are available, you can open the StrongDM desktop application and click the Upgrade button. - The Azure CLI
After installation, users must exit and restart the desktop app, and then select the Azure cloud resource to connect to.
Users can then open a terminal and use the Azure CLI through StrongDM, with the base syntax of sdm az cli instead of the usual az. Commands are always the same as with the Azure CLI, just with the sdm az cli prefix instead.
Connection to Multiple Cloud Resources
If your organization has multiple Azure cloud resources, and you are connected to more than one at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm az --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single Azure cloud resource connected.