diff --git a/docs/cspell.json b/docs/cspell.json index f0fb73581dd4c..dc3470caca030 100644 --- a/docs/cspell.json +++ b/docs/cspell.json @@ -247,6 +247,7 @@ "VSVZY", "Vhka", "Vitess", + "VMSS", "Vybm", "WIMSE", "WWFCX", diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx index 4e5927768e31e..760abf8d4c7b8 100644 --- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx @@ -53,19 +53,22 @@ login to SQL Server. ## Step 3/8. Configure IAM permissions for Teleport -The Teleport Database Service needs Azure IAM permissions to: -- Discover and register SQL Server instances. -- Fetch virtual machine managed identities used for login. - -### Configure an Azure service principal - -Teleport requires the following permissions: -- `/read` permissions for discovery, but only for the resource - types you have. For example, `Microsoft.Sql/managedInstances/read`. -- `Microsoft.Compute/virtualMachines/read`. - -Here is a sample role definition allowing Teleport to read **Azure SQL Servers** -and **Azure SQL Managed Instances**: +The permissions to discover and register SQL Server instances will depend on the +resources you want Teleport to discover: +- For **SQL Servers**, `Microsoft.Sql/servers/read` is required. +- For **SQL Managed Instances**, `Microsoft.Sql/managedInstances/read` is required. + +It will also require permission to fetch virtual machine managed identities used +for SQL Server login: +- If your Database Service runs on a regular VM or a flexible Virtual Machine + Scale Set (VMSS) VM, it will require the `Microsoft.Compute/virtualMachines/read` + permission. +- Otherwise, if it runs on a uniform Virtual Machine Scale Set (VMSS) VM, such + as on an AKS cluster node, it will require the + `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read` permission. + +Here is a sample role containing all possible permissions. You may reduce the +permissions scope based on your needs. ```json { @@ -80,7 +83,8 @@ and **Azure SQL Managed Instances**: "actions": [ "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/read", - "Microsoft.Compute/virtualMachines/read" + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read" ], "notActions": [], "dataActions": [], @@ -98,6 +102,8 @@ If you want to further limit the `assignableScopes`, you can use a resource group (`/subscriptions//resourceGroups/`) or a management group (`/providers/Microsoft.Management/managementGroups/`) instead. +### Configure an Azure service principal + Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription.