You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/current/cockroachcloud/byoc-deployment.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ Once this Azure subscription has been created and configured to host CockroachDB
51
51
52
52
## Step 2. Set up the admin App Registration
53
53
54
-
When BYOC is enabled for your account, Cockroach Labs dynamically provisions a multi-tenant admin App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Granting admin consent creates an admin Service Principal in your tenant, which is used by Cockroach Labs support to act on the Kubernetes cluster in the event of an escalation.
54
+
When BYOC is enabled for your account, Cockroach Labs dynamically provisions a multi-tenant admin App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Granting admin consent creates an admin Service Principal in your tenant, which is used by Cockroach Labs support to act on the Kubernetes cluster, running automation that initializes support infrastructure.
55
55
56
56
Visit this URL with a user account that is [authorized to consent on behalf of your organization](https://learn.microsoft.com/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#prerequisites). Once the Cockroach Labs App Registration has been granted admin consent in the tenant, grant the following set of roles to the admin Service Principal:
57
57
@@ -80,7 +80,7 @@ The custom `Resource Group Manager` role is required to create and manage resour
80
80
81
81
## Step 3. Set up the reader App Registration
82
82
83
-
In addition to the admin application, Cockroach Labs provisions the CockroachDB {{ site.data.products.cloud }} BYOC Reader App Registration. This App Registration is used to grant reader permissions to Cockroach {{ site.data.products.cloud }} automation.
83
+
In addition to the admin application, Cockroach Labs provisions the CockroachDB {{ site.data.products.cloud }} BYOC Reader App Registration. This App Registration is used by Cockroach Labs support for read access to Kubernetes infrastructure.
84
84
85
85
This reader application also requires admin consent to deploy the reader Service Principal:
86
86
@@ -99,9 +99,9 @@ This reader application also requires admin consent to deploy the reader Service
99
99
~~~
100
100
3. Review the requested permissions and click **Accept**.
101
101
102
-
## Step 4. Grant persmissions to auth principals with Azure Lighthouse
102
+
## Step 4. Grant persmissions to Entra groups with Azure Lighthouse
103
103
104
-
Use [Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) to enable cross-tenant management that grants individual Cockroach Labs engineers persmissions on the service principle as needed for support purposes. Permissions are applied to the service principle with least-privilege access and full visibility, allowing you to review or remove this access at any time from the Azure portal.
104
+
Use [Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) to enable cross-tenant management that establishes the support infrastructure that allows Cockroach Labs to assist in the event of a support escalation. Permissions are granted least-privilege access and full visibility, allowing you to review and remove access at any time from the Azure portal.
105
105
106
106
This Azure Lighthouse deployment grants permissions to Cockroach Labs's managed tenant, which has a tenant ID of `a4611215-941c-4f86-b53b-348514e57b45`, by assigning the following roles to the reader and admin Entra groups within the tenant:
0 commit comments