Azure Credentials
This section discusses Azure credentials.
Authenticate with Azure using a certificate
You can authenticate with Azure using a certificate as a secret.
As with password authentication, the certificate is stored with the Azure service principal.
For more information, see the Microsoft docs here.
- Log into Compute Console.
- Go toManage > Cloud accounts
- ClickAdd account.
- InSelect cloud provider, chooseAzure.
- Enter a name for the credential.
- InSubtype, selectCertificate.
- InCertificate, enter your service principal’s certificate in PEM format.The certificate must include the private key. Concatenate public cert with private key (e.g., cat client-cert.pem client-key.pem).
- Enter a tenant ID.
- Enter a client ID.
- Enter a subscription ID.
- ClickNext.
- InScan account, disableAgentless scanning.
- ClickNext.
- ClickAdd account.
- Validate the credential.Your Azure credential is now available to be used in the various integration points in the product, including registry scanning, serverless function scanning, and so on. If authentication with a certificate is supported, it’s shown in the credential drop-down in the setup dialog. For example, the following screenshot shows the setup dialog for scanning Azure Container Registry:
After setting up your integrations, you can review how and where the credential is being used by going toManage > Authentication > Credentials storeand clicking on the credential.
Create an Azure Service Principal
Create an Azure Service Principal so that Prisma Cloud Console can scan your Azure tenant for microservices.
To get a service key:
- Download and install the Azure CLI.
- Create a service principal and configure its access to Azure resources.$ az ad sp create-for-rbac \ --name <user>-twistlock-azure-cloud-discovery-<contributor|reader> \ --role <reader|contributor> \ --scopes /subscriptions/<yourSubscriptionID> \ --sdk-authThe--rolevalue depends upon the type of scanning:
- contributor = Cloud Discovery + Azure Container Registry Scanning + Azure Function Apps Scanning
- reader = Cloud Discovery + Azure Container Registry Scanning
Copy the output of the command and save it to a text file. You will use the output as theService Keywhen creating an Azure credential.{ "clientId": "bc968c1e-67g3-4ba5-8d05-f807abb54a57", "clientSecret": "5ce0f4ec-5291-42f8-gbe3-90bb3f42ba14", "subscriptionId": "ae01981e-e1bf-49ec-ad81-80rf157a944e", "tenantId": "d189c61b-6c27-41d3-9749-ca5c9cc4a622", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" } - Open Console, and go toManage > Authentication > Credentials Store.
- ClickAdd credential, and enter the following values:
- Enter a descriptiveNamefor the credential.
- In theTypefield, selectAzure.
- Enter theService Key.Copy and paste the contents of the text file you saved earlier when you created the service principal.
- Saveyour changes.
Storing the credential in Prisma Cloud
Store the service principal’s credentials in Console so that Prisma Cloud can authenticate with Azure for scanning.