You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/current/cockroachcloud/byoc-deployment.md
+38-47Lines changed: 38 additions & 47 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,9 +49,38 @@ Once this Azure subscription has been created and configured to host CockroachDB
49
49
50
50
{{ site.data.alerts.end }}
51
51
52
-
## Step 2. Grant admin consent to the BYOC enterprise application
52
+
## Step 2. Set up the admin enterprise application
53
53
54
-
When BYOC is enabled for your account, Cockroach Labs provisions the CockroachDB {{ site.data.products.cloud }} BYOC Reader enterprise application. This application requires admin consent to deploy the read-only infrastructure that is then used by Cockroach Labs support as needed.
54
+
When BYOC is enabled for your account, Cockroach Labs dynamically provisions a multi-tenant admin App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Visit this URL with a user account that is [authorized to consent on behalf of your organization](https://learn.microsoft.com/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#prerequisites).
55
+
56
+
Once the Cockroach Labs App Registration has been granted admin consent in the tenant, grant the following set of roles to the app:
57
+
58
+
-`Role Based Access Control Administrator`
59
+
-`Azure Kubernetes Service Cluster User Role`
60
+
-`Azure Kubernetes Service Contributor Role`
61
+
-`Azure Kubernetes Service RBAC Cluster Admin`
62
+
-`Managed Identity Contributor`
63
+
-`Network Contributor`
64
+
-`Storage Account Contributor`
65
+
-`Storage Blob Data Contributor`
66
+
-`Virtual Machine Contributor`
67
+
- A custom role, `Resource Group Manager`, with the following permissions:
The custom `Resource Group Manager` role is required to create and manage resource groups in the subscription. This role is used instead of requesting the more broad `Contributor` role.
80
+
81
+
## Step 3. Set up the reader enterprise application
82
+
83
+
In addition to the admin application, Cockroach Labs provisions the CockroachDB {{ site.data.products.cloud }} BYOC Reader enterprise application. This application also requires admin consent to deploy the read-only infrastructure that is then used by Cockroach Labs support as needed.
55
84
56
85
1. Log in to the Azure portal as a user with Global Administrator or Privileged Role Administrator permissions.
57
86
2. Open the following URL in your browser:
@@ -66,51 +95,13 @@ When BYOC is enabled for your account, Cockroach Labs provisions the CockroachDB
The custom `Resource Group Manager` role is required to create and manage resource groups in the subscription. This role is used instead of requesting the more broad `Contributor` role.
92
-
93
-
## Step 3. Grant permissions to the service principle
94
-
95
-
The CockroachDB {{ site.data.products.cloud }} BYOC Reader application creates a read-only service principle. This service principle is only used for read-only access and Kubernetes cluster visibility by Cockroach Labs support.
96
-
97
-
Assign the following Azure RBAC roles to the service principle at the subscription scope:
98
-
99
-
- `Reader`
100
-
- `Azure Kubernetes Service Cluster User Role`
101
-
- `Azure Kubernetes Service RBAC Reader`
102
-
103
-
## Step 4. Configure Azure Lighthouse
104
-
105
-
[Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) enables cross-tenant management to Cockroach Labs with least-privilege access and full customer visibility. You can review or remove this access at any time from the Azure portal.
98
+
3. Review the requested permissions and click **Accept**.
106
99
107
-
This Azure Lighthouse deployment grants the following permissions to Cockroach Labs:
100
+
## Step 4. Grant permissions to the reader service principle with Azure Lighthouse
108
101
109
-
- Access to the CockroachDB {{ site.data.products.cloud }} BYOC reader application for observability.
110
-
- Kubernetes read access for cluster inspection.
111
-
- Administrative access for managed operations.
102
+
The CockroachDB {{ site.data.products.cloud }} BYOC Reader application creates a read-only service principle. Use [Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) to enable cross-tenant management to the service principle with least-privilege access and full customer visibility. You can review or remove this access at any time from the Azure portal.
112
103
113
-
These permissions are granted to Cockroach Labs's managed tenant, which has a tenant ID of `a4611215-941c-4f86-b53b-348514e57b45`, by assigning the following roles to the reader and admin Entra groups within the tenant:
104
+
This Azure Lighthouse deployment grants permissions to Cockroach Labs's managed tenant, which has a tenant ID of `a4611215-941c-4f86-b53b-348514e57b45`, by assigning the following roles to the reader and admin Entra groups within the tenant:
114
105
115
106
- Reader Entra group:
116
107
- `Reader`
@@ -200,7 +191,7 @@ Follow these steps to enable secure, scoped access for Cockroach Labs to your su
200
191
}
201
192
}
202
193
~~~
203
-
2. Deploy the template at the subscription scope using Azure CLI, Azure PowerShell, or Azure Portal. The following example command uses the Azure CLI:
194
+
2. Deploy the template at the subscription scope using [Azure CLI, Azure PowerShell, or Azure Portal](https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer?tabs=azure-portal#deploy-the-azure-resource-manager-template). The following example command uses the Azure CLI:
204
195
{% include_cached copy-clipboard.html %}
205
196
~~~ shell
206
197
az deployment sub create \
@@ -209,7 +200,7 @@ Follow these steps to enable secure, scoped access for Cockroach Labs to your su
209
200
--template-file byoc-lighthouse.json
210
201
~~~
211
202
212
-
## Step 4. Register resource providers
203
+
## Step 5. Register resource providers
213
204
214
205
Register the following [resource providers](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) in the Azure subscription:
215
206
@@ -219,7 +210,7 @@ Register the following [resource providers](https://learn.microsoft.com/azure/az
219
210
- `Microsoft.Quota`
220
211
- `Microsoft.Storage`
221
212
222
-
## Step 5. Create the CockroachDB {{ site.data.products.cloud }} cluster
213
+
## Step 6. Create the CockroachDB {{ site.data.products.cloud }} cluster
223
214
224
215
In BYOC deployments, CockroachDB clusters are deployed with the {{ site.data.products.cloud }} API and must use the {{ site.data.products.advanced }} plan. Follow the API documentation to [create a CockroachDB {{ site.data.products.cloud }} {{ site.data.products.advanced }} cluster]({% link cockroachcloud/cloud-api.md %}#create-an-advanced-cluster).
0 commit comments