Knowledge Base
Which Permissions are Needed to Generate Documentation with Cloudockit
Azure
General documentation
To generate documentation using Cloudockit, only Reader privileges are required at the subscription level.
Drop-off
To drop off documentation in the storage account, the credentials used to generate the documentation must have Contributor privileges.
Azure Classic Resources
Classic resources will not display in the documentation only with reader privileges.
You must add the user of your choice to the Classic Administrator of the subscription.
For more information, visit Classic subscription administrator roles, Azure roles, and Azure AD roles
Azure Entra ID
Cloudockit cannot retrieve data from Entra ID only with reader privileges.
Please read the following page that explains 2 ways to grant access to Entra ID:
Specific permissions to read Entra ID information
Azure Billing
Limited billing information can be retrieved using reader privileges. To get access to the billing information you must give the credentials Billing Reader privileges.
Azure Storage
To read the details on the contents of the storage accounts, you may use a custom role with the following permission:
- Storage Blob Data Reader
Azure Security Center
To read information from the Azure Security Center through the compliance rules, the credentials used to generate the documentation must have Security Reader privileges, or you can use a custom role with the following permissions:
- Microsoft.Advisor/generateRecommendations/action
- Microsoft.Advisor/recommendations/read
Dependency Detection in Azure App Services
Cloudockit automatically detects dependencies between components like Azure App Services & Functions and components like storages, queues, etc.
To do so, Cloudockit scans the App Settings and App Connection Strings to detect the components the App Service is communicating with.
Contributor access, on the App Service only, is needed so Cloudockit can list the App Settings and Connection Strings. If you have only Reader privileges, you will see the App Service Details but not the dependencies.
Azure Kubernetes Services
The credentials used to generate the documentation must have Azure Kubernetes Service RBAC Writer access, on the Kubernetes Cluster only, so that Cloudockit can connect to the cluster and retrieve the details.
Azure App Services
To be able to retrieve sensitive information about your app services, you can use the Web Site Contributor role or provide this explicit permission to your custom role:
- Microsoft.Web/sites/config/list/action
AWS
General documentation
To generate documentation using Cloudockit only ReadOnlyAccess policy is required at the account level.
Drop-Off
To drop off documentation in the S3 storage, the credentials used to generate the documentation must have the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutBucketCORS",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::/*"
]
}
]
}Note: you may also want to restrict to the S3 you’re using as a drop-off: specify the S3 ARN in the Resource section.
AWS Billing
To read billing information from AWS, the credentials used to generate the documentation must have aws-portal:ViewBilling policy.
AWS Trusted Advisor
To read information from AWS Trusted Advisor, the credentials used to generate the documentation must have the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"trustedadvisor:Describe*",
"trustedadvisor:Get*",
"trustedadvisor:List*"
],
"Resource": "*"
}
]
}AWS Organizations
If you want to view details of the accounts of your organization in the generated documents on Cloudockit, you will need to choose an AWS master account when logging on Cloudockit web site.
Organizational units and accounts.
If you want to view details of the organizational units and accounts of your organization in the generated documents on Cloudockit, you will need to choose an AWS master account when logging on Cloudockit web site.
Member Account
When you choose an AWS member account, the generated documents will display the information of your organization and minimum information about your account (e.g.: Id, ARN).
GCP
General documentation
To generate documentation using Cloudockit only Viewer role is required at the project level.
Drop-Off
To drop off documentation in the storage, the credentials used to generate the documentation must have the following permissions:
- storage.objects.create
- storage.objects.get
- storage.objects.delete
GCP Security Command Center
To read information from the GCP Security Command Center through the compliance rules, the credentials used to generate the documentation must have roles/securitycenter.adminViewer.
Billing
Cloudockit supports billing information extraction only in a JSON output format for now.
Cloudockit uses BigQuery Dataset to retrieve all of the billing information.
To get the billing information into your documentation, you need to:
- Ensure the Service Account you are using has read permission to the BigQuery dataset where the billing Information is stored.
- Enter the following information in the Billing Details section in the Workload tab (those two information are found in the Google Cloud Console/Billing/Billing Export/Daily cost detail/Dataset name)
- Dataset that contains the billing data : Specify the name of the BigQuery Dataset that contains billing data.
- Table that contains the billing data : Specify the name of the BigQuery Table that contains the billing data.
Google Kubernetes Engine
The credentials used to generate the documentation must have Kubernetes Engine Service Agent, on the Kubernetes Cluster only, so Cloudockit can connect to the cluster and retrieve the details.