diff --git a/cloud/integrations.mdx b/cloud/integrations.mdx index 1cff12d..40b0f71 100644 --- a/cloud/integrations.mdx +++ b/cloud/integrations.mdx @@ -527,15 +527,32 @@ References: Supported Azure Services: - Virtual Machines +- Public IP Addresses +- Traffic Manager +- Storage Accounts +- Azure Kubernetes Service (AKS) +- Content Delivery Network (CDN) +- DNS Zones and Records +- Application Gateway & Load Balancer +- Container Instances +- App Service & Web Apps +- Azure Functions +- API Management +- Front Door +- Container Apps +- Static Web Apps **Azure Integration Method:** -To connect ProjectDiscovery to your Azure account, you will need to create and configure an **App Registration** in Azure Active Directory. This process generates a Service Principal with the necessary credentials and permissions to monitor your cloud assets in a secure, read-only manner. +ProjectDiscovery Cloud Platform uses Microsoft's modern **Track 2 SDK** for Azure integration, providing enhanced security, performance, and support for the latest Azure services. The integration supports **6 authentication methods** to accommodate various cloud deployment scenarios while maintaining 100% backward compatibility with existing configurations. -The required credentials are: +### Quick Setup Options + +**For most users (Service Principal method):** +Create an App Registration in Azure Active Directory with the following required credentials: - Azure Tenant ID -- Azure Subscription ID +- Azure Subscription ID - Azure Client ID - Azure Client Secret @@ -556,7 +573,7 @@ Below are the steps to get the above credentials: { "properties": { "roleName": "CloudList Reader", - "description": "Minimal permissions for CloudList to discover Azure resources (VMs, Public IPs, Traffic Manager)", + "description": "Minimal permissions for CloudList to discover Azure resources including VMs, Storage, AKS, CDN, DNS, and more", "assignableScopes": [ "/subscriptions/" ], @@ -568,7 +585,22 @@ Below are the steps to get the above credentials: "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/trafficManagerProfiles/read" + "Microsoft.Network/trafficManagerProfiles/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.ContainerService/managedClusters/read", + "Microsoft.Cdn/profiles/read", + "Microsoft.Cdn/profiles/endpoints/read", + "Microsoft.Network/dnszones/read", + "Microsoft.Network/dnszones/recordsets/read", + "Microsoft.Network/applicationGateways/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.ContainerInstance/containerGroups/read", + "Microsoft.Web/sites/read", + "Microsoft.Web/sites/functions/read", + "Microsoft.ApiManagement/service/read", + "Microsoft.Network/frontDoors/read", + "Microsoft.App/containerApps/read", + "Microsoft.Web/staticSites/read" ], "notActions": [], "dataActions": [], @@ -583,20 +615,24 @@ Below are the steps to get the above credentials: - Virtual machines: `Microsoft.Compute/virtualMachines/read`, plus RG/subscription reads - Public IPs: `Microsoft.Network/publicIPAddresses/read` - Traffic Manager: `Microsoft.Network/trafficManagerProfiles/read` + - Storage Accounts: `Microsoft.Storage/storageAccounts/read` + - AKS Clusters: `Microsoft.ContainerService/managedClusters/read` + - CDN: `Microsoft.Cdn/profiles/read`, `Microsoft.Cdn/profiles/endpoints/read` + - DNS: `Microsoft.Network/dnszones/read`, `Microsoft.Network/dnszones/recordsets/read` + - App Services: `Microsoft.Web/sites/read` + - Functions: `Microsoft.Web/sites/functions/read` + - Container Apps: `Microsoft.App/containerApps/read` - After creating the role, assign it to the App Registration under Role assignments. - Alternatively, if creating custom roles is not feasible in your environment, you may assign the built-in **Reader** role to the App Registration. This provides broader read access across the subscription and may exceed least-privilege needs. - Note your **Subscription ID** from the subscription's overview page. 4. **Connect:** - Enter the four collected credentials (Tenant ID, Client ID, Client Secret, and Subscription ID) into ProjectDiscovery Cloud Platform to configure the integration. -To use CLI, follow the instructions mentioned in the references below. - References: -1. https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli -2. https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac -3. https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli -4. https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal +1. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal +2. https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal +3. https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals diff --git a/opensource/cloudlist/providers.mdx b/opensource/cloudlist/providers.mdx index 3ad0b38..7455193 100644 --- a/opensource/cloudlist/providers.mdx +++ b/opensource/cloudlist/providers.mdx @@ -221,31 +221,90 @@ References: Supported Azure Services: - Virtual Machines - -**Example Config:** - -Microsoft Azure can be integrated by using the following configuration block. - + - Public IP Addresses + - Traffic Manager Profiles + - Storage Accounts + - Azure Kubernetes Service (AKS) + - Content Delivery Network (CDN) + - DNS Zones and Records + - Application Gateway & Load Balancer + - Container Instances + - App Service & Web Apps + - Azure Functions + - API Management + - Front Door + - Container Apps + - Static Web Apps + +**Example Configurations:** + +Microsoft Azure integration supports multiple authentication methods via the modern Track 2 SDK. Here are examples for different scenarios: + +**1. Client Secret Authentication (Most Common):** ```yaml -- provider: azure # provider is the name of the provider - # id is the name defined by user for filtering (optional) - id: staging - # client_id is the client ID of registered application of the azure account (not requuired if using cli auth) +- provider: azure + id: production client_id: $AZURE_CLIENT_ID - # client_secret is the secret ID of registered application of the zure account (not requuired if using cli uth) client_secret: $AZURE_CLIENT_SECRET - # tenant_id is the tenant ID of registered application of the azure account (not requuired if using cli auth) tenant_id: $AZURE_TENANT_ID - #subscription_id is the azure subscription id subscription_id: $AZURE_SUBSCRIPTION_ID - #use_cli_auth if set to true cloudlist will use azure cli auth +``` + +**2. Azure CLI Authentication (Local Development):** +```yaml +- provider: azure + id: development + subscription_id: $AZURE_SUBSCRIPTION_ID use_cli_auth: true ``` -`tenant_id`, `client_id`, `client_secret` can be obtained/generated from `All services` > `Azure Active Directory` > `App registrations` -`subscription_id` can be retrieved from `All services` > `Subscriptions` +**3. Client Certificate Authentication (Enterprise Security):** +```yaml +- provider: azure + id: secure-env + client_id: $AZURE_CLIENT_ID + certificate_path: /path/to/certificate.pem + tenant_id: $AZURE_TENANT_ID + subscription_id: $AZURE_SUBSCRIPTION_ID +``` + +**4. Managed Identity (Azure VMs, App Services, AKS):** +```yaml +- provider: azure + id: azure-hosted + subscription_id: $AZURE_SUBSCRIPTION_ID + use_managed_identity: true +``` + +**5. Workload Identity (Kubernetes, GitHub Actions OIDC):** +```yaml +- provider: azure + id: k8s-workload + subscription_id: $AZURE_SUBSCRIPTION_ID + use_workload_identity: true +``` + +**6. Auto-Detection (DefaultAzureCredential):** +```yaml +- provider: azure + id: auto-detect + subscription_id: $AZURE_SUBSCRIPTION_ID + # No explicit auth method - automatically detects available credentials +``` + +**Authentication Setup:** + +- `tenant_id`, `client_id`, `client_secret` can be obtained/generated from `All services` > `Azure Active Directory` > `App registrations` +- `subscription_id` can be retrieved from `All services` > `Subscriptions` +- For CLI auth: set `use_cli_auth: true` and run `az login` in the terminal +- For certificate auth: generate a certificate and register it with your App Registration +- For managed/workload identity: ensure the identity has appropriate permissions on the subscription -To use cli auth set `use_cli_auth` value to `true` and run `az login` in the terminal +**Authentication Priority (when using auto-detection):** +1. Environment Variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) +2. Workload Identity (Kubernetes service account tokens) +3. Managed Identity (Azure VMs, App Services, AKS nodes) +4. Azure CLI (az login session) References: 1. https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli diff --git a/opensource/cloudlist/running.mdx b/opensource/cloudlist/running.mdx index ef73b28..23b0a6e 100644 --- a/opensource/cloudlist/running.mdx +++ b/opensource/cloudlist/running.mdx @@ -118,16 +118,20 @@ The default provider config file should be located at `$HOME/.config/cloudlist/p - provider: azure # provider is the name of the provider # id is the name defined by user for filtering (optional) id: staging - # client_id is the client ID of registered application of the azure account (not requuired if using cli auth) + # subscription_id is the azure subscription id (required) + subscription_id: $AZURE_SUBSCRIPTION_ID + # client_id is the client ID of registered application (optional - for service principal auth) client_id: $AZURE_CLIENT_ID - # client_secret is the secret ID of registered application of the zure account (not requuired if using cli uth) + # client_secret is the secret of registered application (optional - for service principal auth) client_secret: $AZURE_CLIENT_SECRET - # tenant_id is the tenant ID of registered application of the azure account (not requuired if using cli auth) + # tenant_id is the tenant ID (optional - for service principal auth) tenant_id: $AZURE_TENANT_ID - #subscription_id is the azure subscription id - subscription_id: $AZURE_SUBSCRIPTION_ID - #use_cli_auth if set to true cloudlist will use azure cli auth + # use_cli_auth: true enables Azure CLI authentication (optional) use_cli_auth: true + # Other supported auth methods: + # use_managed_identity: true # For Azure VMs, App Services, AKS + # use_workload_identity: true # For Kubernetes, GitHub Actions OIDC + # certificate_path: /path/cert # For certificate-based authentication - provider: cloudflare # provider is the name of the provider # email is the email for cloudflare