fbpx

How Can We Help?

Which Permissions are Needed to Generate Documentation with Cloudockit

Azure

General documentation

To generate documentation using Cloudockit, only Reader privileges are required at the subscription level.

Drop-off

To drop off documentation in the storage account, the credentials used to generate the documentation must have Contributor privileges.

Azure Classic Resources

Classic resources will not display in the documentation only with reader privileges.

You must add the user of your choice to the Classic Administrator of the subscription.

For more information, visit Classic subscription administrator roles, Azure roles, and Azure AD roles

Azure Active Directory

Cloudockit cannot retrieve data from Azure Directory only with reader privileges.

The credentials used to generate the documentation must have Azure AD Global Administrator.

Azure Billing

Limited billing information can be retrieved using reader privileges. To get access to the billing information you must give the credentials Billing Reader privileges.

Azure Security Center

To read information from the Azure Security Center through the compliance rules, the credentials used to generate the documentation must have Security Reader privileges.

Dependency Detection in Azure App Services

Cloudockit automatically detects dependencies between components like Azure App Services & Functions and components like storages, queues, etc.

To do so, Cloudockit scans the App Settings and App Connection Strings to detect the components the App Service is communicating with.

Contributor access, on the App Service only, is needed so Cloudockit can list the App Settings and Connection Strings. If you have only Reader privileges, you will see the App Service Details but not the dependencies.

Azure Kubernetes Services

The credentials used to generate the documentation must have Azure Kubernetes Service RBAC Writer access, on the Kubernetes Cluster only, so that Cloudockit can connect to the cluster and retrieve the details.

AWS

General documentation

To generate documentation using Cloudockit only ReadOnlyAccess policy is required at the account level.

Drop-Off

To drop off documentation in the storage account, the credentials used to generate the documentation must have the following policy:

{
        "Version": "2012-10-17",
        "Statement": [
               {
                        "Effect": "Allow",
                        "Action": [
                                "s3:*"
                        ],
                        "Resource": [
                               "arn:aws:s3:::YOURS3Bucket"
                        ]
               }
       ]
}

AWS Billing

To read billing information from AWS, the credentials used to generate the documentation must have aws-portal:ViewBilling policy.

AWS Trusted Advisor

To read information from AWS Trusted Advisor, the credentials used to generate the documentation must have the following policy:

{
        "Version": "2012-10-17",
        "Statement": [
               {
                          "Effect": "Allow",
                          "Action": [
                                  "ce:Get*",
                                  "ce:List*",
                                  "ce:Describe*"
                          ],
                          "Resource": [
                                  "*"
                          ]
               }
        ]
}

AWS Organizations

If you want to view details of the accounts of your organization in the generated documents on Cloudockit, you will need to choose an AWS master account when logging on Cloudockit web site.

Organizational units and accounts.

If you want to view details of the organizational units and accounts of your organization in the generated documents on Cloudockit, you will need to choose an AWS master account when logging on Cloudockit web site.

Member Account

When you choose an AWS member account, the generated documents will display the information of your organization and minimum information about your account (e.g.: Id, ARN).

GCP

General documentation

To generate documentation using Cloudockit only Viewer role is required at the project level.

Drop-Off

To drop off documentation in the storage, the credentials used to generate the documentation must have the following permissions storage.buckets.create, storage.buckets.get and storage.objects.create.

GCP Security Command Center

To read information from the GCP Security Command Center through the compliance rules, the credentials used to generate the documentation must have roles/securitycenter.adminViewer.

Billing

Cloudockit supports billing information extraction only in a JSON output format for now.

Cloudockit uses BigQuery Dataset to retrieve all of the billing information.  

To get the billing information into your documentation, you need to: 

  • Ensure the Service Account you are using has read permission to the BigQuery dataset where the billing Information is stored. 
  • Enter the following information in the Billing Details section in the Workload tab (those two information are found in the Google Cloud Console/Billing/Billing Export/Daily cost detail/Dataset name)
  • Dataset that contains the billing data : Specify the name of the BigQuery Dataset that contains billing data. 
  • Table that contains the billing data : Specify the name of the BigQuery Table that contains the billing data. 

Google Kubernetes Engine

The credentials used to generate the documentation must have Kubernetes Engine Service Agent, on the Kubernetes Cluster only, so Cloudockit can connect to the cluster and retrieve the details.

Table of Contents