Please enable JavaScript.
Coggle requires JavaScript to display documents.
UAMI for Azure-org - Coggle Diagram
UAMI for Azure-org
What do we know
Azure-org currently uses vault permissions
Pipeline is broken, and we think we need to use a UAMI to fix the broken credentials
Started using UAMI's with PIM
Authentication Methods
Vault credentials w/ Global Administrator
generated dynamically every pipeline run
Created with the vault-bootstrap application registration
Vault-bootstrap is owner of security group that has role of Global admin, and can create service principals inside the group that inherit that right
Problem when permissions are not covered by group membership, in this case anything outside RBAC
Secret-based authentication
PIM/Conditional Access: group based GA role assignment is not sufficient
User-assigned managed identity
can be assigned more granular API permissions, not limited to just RBAC permissions
Uses an IDP to authenticate (in this case, Gitlab is the IDP)
Limitation: federated credential can be scope to a gitlab project path branch, but doesn't support wildcards
can only use UAMIs for deploy jobs
Design
UAMI for b2b resource deployment in lab
permissions for resources defined in b2b user module
refactor conditional access UAMI with broader permission scope
Questions