Skip to content

docs: Update Azure SQL Server required permissions #52451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gabrielcorado wants to merge 4 commits into
base: master
Choose a base branch
from
Open

docs: Update Azure SQL Server required permissions #52451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f6d3730
refactor(docs): update azure sql server guide permissions section
gabrielcorado Feb 25, 2025
21d40cf
refactor(docs): rework guide step 3
gabrielcorado Feb 26, 2025
0f2e555
chore(docs): add VMSS to spell check list
gabrielcorado Apr 17, 2025
0b389fe
Merge branch 'master' into gabrielcorado/update-docs-on-azure-sql-ser…
gabrielcorado Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@
"VSVZY",
"Vhka",
"Vitess",
"VMSS",
"Vybm",
"WIMSE",
"WWFCX",
Expand Down
34 changes: 20 additions & 14 deletions ...enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,19 +53,22 @@ login to SQL Server.

## Step 3/8. Configure IAM permissions for Teleport

The Teleport Database Service needs Azure IAM permissions to:
- Discover and register SQL Server instances.
- Fetch virtual machine managed identities used for login.

### Configure an Azure service principal

Teleport requires the following permissions:
- `<resource-type>/read` permissions for discovery, but only for the resource
types you have. For example, `Microsoft.Sql/managedInstances/read`.
- `Microsoft.Compute/virtualMachines/read`.

Here is a sample role definition allowing Teleport to read **Azure SQL Servers**
and **Azure SQL Managed Instances**:
The permissions to discover and register SQL Server instances will depend on the
resources you want Teleport to discover:
- For **SQL Servers**, `Microsoft.Sql/servers/read` is required.
- For **SQL Managed Instances**, `Microsoft.Sql/managedInstances/read` is required.

It will also require permission to fetch virtual machine managed identities used
for SQL Server login:
- If your Database Service runs on a regular VM or a flexible Virtual Machine
Scale Set (VMSS) VM, it will require the `Microsoft.Compute/virtualMachines/read`
permission.
- Otherwise, if it runs on a uniform Virtual Machine Scale Set (VMSS) VM, such
as on an AKS cluster node, it will require the
`Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read` permission.

Here is a sample role containing all possible permissions. You may reduce the
permissions scope based on your needs.

```json
{
Expand All @@ -80,7 +83,8 @@ and **Azure SQL Managed Instances**:
"actions": [
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/servers/read",
"Microsoft.Compute/virtualMachines/read"
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read"
],
"notActions": [],
"dataActions": [],
Expand All @@ -98,6 +102,8 @@ If you want to further limit the `assignableScopes`, you can use a resource
group (`/subscriptions/<subscription>/resourceGroups/<group>`) or a management
group (`/providers/Microsoft.Management/managementGroups/<group>`) instead.

### Configure an Azure service principal

Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade)
page and select a subscription.

Expand Down
Loading