This document describes the various agents that Promitor provides, what Microsoft Azure services they are consuming and what the minimal required permissions are that every entity requires to be functional.

Overview

Here is an overview of our Promitor agents and their integrations:

Azure Integration Promitor Scraper Promitor Resource Discovery
Azure Monitor
Azure Resource Graph

Each agent needs an Azure AD identity to authenticate with to Microsoft Azure.

In order to achieve this, you’ll need to create an Azure AD Application,

Supported Authentication Mechanisms

Our agents provide the following authentication mechanisms:

For details how to configure the authentication, we recommend reading our agent configuration documentation.

Service Principle Authentication

Availability Badge

Every agent needs to be configured with the following environment variables:

Managed Identity Authentication

Availability Badge

When using Managed Identity, you can use one of the following scenarios:

⚠ In order to use managed identity, your Kubernetes cluster must be hosted on Microsoft Azure to leverage this.

Permission Overview

Required permissions for Azure Monitor

Identities that are used to integrate with Azure Monitor need to have Monitoring Reader permission on the subscription, resource group and/or resources that will be queried.

More information can be found here.

Required permissions for Azure Resource Graph

Identities that are used to integrate with Azure Resource Graph need to have Reader permission on the subscription, resource group and/or resources that will be queried.

⚠ If you are re-using this identity to integrate with Azure Monitor, make sure to grant the required permissions to reflect that as well.

More information can be found here.

← back