Kloudle is a Digital Assets Security Automation Platform for SREs and DevOps. When integrated with your Cloud or SaaS provider, Kloudle takes periodic security snapshots and provides complete security contextual visibility that allows you to make informed decisions about your infrastructure, the assets and their various configurations.
Kloudle collects metadata about the resources and analyses them to identify misconfigurations and using a massive research powered knowledge base, identifies what would go wrong if these misconfigurations were exploited and what you can do to fix them.
As part of making sure the lives of SREs and DevOps become easier, Kloudle offers the ability to create “rules” that allow a user to take automated actions against a baseline. These automated actions, which we call Security Processes, allow users to configure a series of steps that kick in when custom events occur to ensure the security of the monitored cloud and SaaS platform.
This document details the steps to set up an Azure service principal, add the required roles, and generate credentials for the service principal that are required for onboarding Azure to Kloudle. There are two ways of setting up the Azure service principal - via web console or using a quick automated script in cloud shell - as described in the following sections. Users can follow either of the two ways.
Kloudle needs a Service Principal to onboard an Azure account. The following sections show how to create a service principal, add the required roles, and generate credentials for the service principal via web console to be used for onboarding Azure to Kloudle.
Following are the pre-requisite to create a service principal via web console:
Start a new App registration using the link https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false
Provide kloudle-app-readonly as the name
Select Accounts in this organizational directory only (Default Directory only - Single tenant) under Supported account types
Click on Register
Note the following values from the App page. These values will be required when onboarding the Azure account to Kloudle
a. Application (client) ID b. Directory (tenant) ID
Click on Add a certificate or secret
Click on New client secret
Give the secret a description of kloudle-app-secret and choose expiry of 12 months
Click on add to create the secret
Copy the value of the secret as this will not be shown again. This value is the Application (client) Secret
Search for Subscriptions in the Azure search box
Under Subscriptions, note the Subscription ID of the one that you want to onboard to Kloudle
Assign the “Reader” permission
Click on the selected Subscription and in the subscription detail page, click on Access Control (IAM)
Click on “+ Add” and Add role assignment
In the Add role assignment page, click on Reader role. Click the Next button
Click on “+ Select members” and in the right pane, type the name of the app that was created. Select the application when it is populated. Click Select. Click on the Next button
Click on Review + assign button
Assign the “Reader and Data Access” permission
In the subscription detail page, click on Access Control (IAM)
Click on “+ Add” and Add role assignment
Search for the Reader and Data Access role and click Next
Select the app in the next page and click Next
Review the role and click on “Review + assign” button
Assign the “Security Reader” permission
In the subscription detail page, click on Access Control (IAM)
Click on “+ Add” and Add role assignment
Search for the Security Reader role and click Next
Select the app in the next page and click Next
Review the role and click on “Review + assign” button
Assign the “Website Contributor” permission
In the subscription detail page, click on Access Control (IAM)
Click on “+ Add” and Add role assignment
Search for the Website Contributor role and click Next
Select the app in the next page and click Next
Review the role and click on “Review + assign” button
Assign the “Web Plan Contributor” permission
In the subscription detail page, click on Access Control (IAM)
Click on “+ Add” and Add role assignment
Search for the Website Contributor role and click Next
Select the app in the next page and click Next
Review the role and click on “Review + assign” button
Search for Azure Active Directory in the Azure Search box
Click on App Registrations in the left menu and select the App that we created
Click on API permissions and then “+ Add a permission” as shown below
Search for string 00000002-0000-0000-c000-000000000000 in the Request API permissions under APIs my organization uses tab
Select the Windows Azure Active Directory entry that has been found and select Application permissions
Select Application.Read.All and Directory.Read.All permission from the menu. Click Add permissions
Click on “+ Add a permission” again
Search for 00000003-0000-0000-c000-000000000000 in the Request API permissions under APIs my organization uses tab
Select the Microsoft Graph entry that has been found and select Application permissions
In the Select permissions search box, search for Directory and select Directory.Read.All. Click on Add permissions
The App’s Configured Permissions should look like the following
Click on Grant admin consent for Default Directory and Yes on the confirmation to complete this section
The status should turn green for the API permissions that were added as shown below
Kloudle needs a Service Principal to onboard an Azure account. The following sections shows a quick way to create a service principal, add the required roles, and generate credentials for the service principal using an automated script that will be used for onboarding Azure to Kloudle.
Following are the pre-requisite to set up a service principal using the automated script:
An Azure account that has Owner/Administrator privileges to Azure. The user should be able to create App Registrations
Access to Azure Cloud Shell where this script will be run. The Azure Cloud Shell has all the required tooling for this script to work quickly and without additional configuration
Also ensure that you are in the correct Azure account and the correct subscription in Azure Cloud Shell. You can confirm this by running az account show command before running the script
Following are the steps to create a service principal, add the required roles, and generate credentials for the service principal:
Launch Azure Cloud Shell and make sure you are in the correct Azure account and Subscription by running az account show command in Azure Cloud Shell
Note: If you are running the Azure Cloud shell for the first time, you will be prompted to choose a Storage and to select Bash or Windows Powershell. Please choose Bash to proceed
Run the following command in Azure Cloud Shell
curl -sS https://raw.githubusercontent.com/Kloudle/kloudle-azure-onboarding/main/azure-service-principal-creator.sh | shThis will create a service principal, add the required roles and generate credentials for the service principal to be used for onboarding the Azure account to Kloudle. Note down the tenant_id, subscription_id, client_id, and client_secret values
Once the Application ID (client_id), Application Secret (client_secret), Directory ID (tenant_id), and Subscription ID (subscription_id) are ready with you, follow the steps below to onboard your Azure account to Kloudle:
Log in to your Kloudle workspace at https://app.kloudle.com
In the side menu, go to Manage and select MS Azure under Cloud Integrations tab
On the onboard cloud account page, provide the Account Name. You can give a custom name for the account being onboarded
Next, under Authentication Details section provide the following information that we had captured in the previous sections:
a. Subscription ID (subscription_id) b. Directory ID (tenant_id) c. Application ID (client_id) d. Application Secret (client_secret)
Once the authentication details are verified, click on Save button and your Azure account will be onboarded to Kloudle
Here’s a video that shows how you can do this.