Azure credentials and permissions
Contributors Download PDF of this topic
Cloud Manager enables you to choose the Azure credentials to use when deploying Cloud Volumes ONTAP. You can deploy all of your Cloud Volumes ONTAP systems using the initial Azure credentials, or you can add additional credentials.
Initial Azure credentials
When you deploy Cloud Manager from NetApp Cloud Central, you need to use an Azure account that has permissions to deploy the Cloud Manager virtual machine. The required permissions are listed in the NetApp Cloud Central policy for Azure.
When Cloud Central deploys the Cloud Manager virtual machine in Azure, it enables a system-assigned managed identity on the Cloud Manager virtual machine, creates a custom role, and assigns it to the virtual machine. The role provides Cloud Manager with permissions to deploy and manage Cloud Volumes ONTAP in that Azure subscription. Review how Cloud Manager uses the permissions.
Cloud Manager selects these Azure credentials by default when you create a new working environment:
Additional Azure subscriptions for managed identity
The managed identity is associated with the subscription in which you launched Cloud Manager. If you want to select a different Azure subscription, then you need to associate the managed identity with those subscriptions.
Additional Azure credentials
If you want to deploy Cloud Volumes ONTAP using different Azure credentials, then you must grant the required permissions by creating and setting up a service principal in Azure Active Directory for each Azure account. The following image shows two additional accounts, each set up with a service principal and custom role that provides permissions:
You would then add the account credentials to Cloud Manager by providing details about the AD service principal.
After you add another set of credentials, you can switch to them when creating a new working environment: