Managed Identity And Locker Updates (#430)

* added updated images for account creation

* typo corrections

* phrasing changes for new account creation UI

* added blob contributor actions to custom role example

* updated managed identity and service principal pages

* incorporated suggested additions

Author: rokeptne

articles/cyclecloud/common-issues/node_timeout_await_bootup.md

@@ -15,8 +15,8 @@ ms.author: mirequa
 
 Cyclecloud nodes use [custom script extension](/azure/virtual-machines/extensions/custom-script-linux)
 to install jetpack. The jetpack installer is staged into the locker during the initial node phase
-and downloaded by the node at start time. Cyclecloud transmits the blob url and the access key to 
-the node via the script extension.
+and downloaded by the node at start time. Cyclecloud transmits the blob url and the chosen authentication
+method to the node via the script extension.
 
 The installer is downloaded to the following location on the node:
 

articles/cyclecloud/concepts/security-best-practices.md

@@ -30,7 +30,7 @@ The [virtual network](</azure/virtual-network/virtual-networks-overview>) that c
 
 We strongly recommend using at least two subnets. One for the CycleCloud installation VM and any other VMs with the same access policies, and additional subnets for the compute clusters. However, keep in mind that for large clusters, the IP range of the subnet may become a limiting factor. So, in general, the CycleCloud subnet should use a small CIDR (Classless Inter-Domain Routing) range and compute subnets should be large.
 
-CycleCloud uses the Azure Resource Manager for managing clusters. To make calls to Azure Resource Manager certain permissions are granted to CycleCloud by configuring [Managed Identity](~/how-to/managed-identities.md) to CycleCloud VM. It is recommended to use either System-assigned or User-assigned Managed Identity.A system-assigned Managed Identity creates an identity in Azure AD that is tied to the lifecycle of that service instance. When that resource is deleted, the managed identity is automatically deleted. A user-assigned Managed Identity can be assigned to one or more instances of an Azure service. In this case, the managed identity is separately managed by the resources used.
+CycleCloud uses the Azure Resource Manager for managing clusters. To make calls to Azure Resource Manager, certain permissions are granted to CycleCloud by configuring [Managed Identity](~/how-to/managed-identities.md) on the CycleCloud VM. It is recommended to use either System-assigned or User-assigned Managed Identity. A system-assigned Managed Identity creates an identity in Azure AD that is tied to the lifecycle of that service instance. When that resource is deleted, the managed identity is automatically deleted. A user-assigned Managed Identity can be assigned to one or more instances of an Azure service. In this case, the managed identity is separately managed by the resources used.
 
 ## Secured Locked-down environment
 

articles/cyclecloud/how-to/managed-identities.md

@@ -2,7 +2,7 @@
 title: Using Managed Identities
 description: Learn how to use Managed Identities with Azure CycleCloud. Assign roles to cluster VMs with Managed Identity.
 author: rokeptne
-ms.date: 02/05/2019
+ms.date: 01/27/2025
 ms.author: rokeptne
 ---
 
@@ -16,21 +16,29 @@ CycleCloud automates many calls to the Azure Resource Manager for the purposes o
 
 It is generally recommended to use either a [System-Assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) or [User-Assigned Managed Identity](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#user-assigned-managed-identity) to grant those permissions rather than a Service Principal. 
 
-When Azure CycleCloud has been installed on an Azure VM with a Managed Identity assigned to it, the **Create Cloud Provider Account** dialog will behave slightly differently. There will be a new checkbox for **Managed Identity** and the **Subscription ID** will be pre-populated with the subscription of the host VM.
+When Azure CycleCloud has been installed on an Azure VM with a Managed Identity assigned to it, the **Add Subscription** dialog will behave slightly differently. The **Managed Identity** authentication option will be enabled and pre-selected, and the **Subscription ID** will be pre-populated with the subscription of the host VM.
 
 ::: moniker range="=cyclecloud-7"
 ![Add Subscription Managed Identities](../images/version-7/create-account-managed-identity.png)
 ::: moniker-end
 
 ::: moniker range=">=cyclecloud-8"
-![Add Subscription Managed Identities](../images/version-8/add-subscription-managed-identity.png)
+![Add Subscription Managed Identities](../images/version-8/add-subscription-managed-identity-8.7.png)
 ::: moniker-end
 
-It is still possible to enter the standard set of credentials by simply unchecking the **Managed Identity** checkbox. Upon doing so, the standard fields will be added to the form. Additionally, it is perfectly acceptable to use a separate **Subscription ID**; the provided value is just for convenience.
+It is still possible to enter the standard set of credentials by simply selecting the **App Registration** authentication option. Upon doing so, the standard fields will be added to the form. Additionally, it is perfectly acceptable to use a separate **Subscription ID**; the provided value is just for convenience.
+
+When using a System Assigned Managed Identity, the ClientID field can be left blank. However, when using CycleCloud with a User-Assigned Managed Identity, the ClientID should be set to the ClientID of the specific Managed Identity intended for cluster orchestration.
+
+### Storage Locker Access
+
+In addition to using a Managed Identity for cluster orchestration on the CycleCloud VM, CycleCloud can also be configured to assign a User-Assigned Managed Identity to clusters for Storage Account / Locker access from cluster nodes rather than using SAS tokens derived from the Storage Account's Shared Access Key.
+
+To configure clusters to use a User-Assigned Managed Identity rather than the Shared Access Key, we recommend creating a dedicated User-Assigned Managed Identity with Storage Blob Data Reader access at the Storage Account scope. First, create the Storage Account and User-Assigned Managed Identity in your Azure Subscription. Then in the Storage Locker Configuration section of the "Add Subscription" dialog, select the new Managed Identity from the Locker Identity dropdown and the Storage Account from the Storage Account dropdown.
 
 ### Create a custom role and managed identity for CycleCloud
 
-The simplest option (with sufficient access rights) is to assign the Contributor Role for the Subscription to the CycleCloud VM as a System-Assigned Managed Identity.  However, the Contributor Role has a higher privilege level than CycleCloud requires.  A [custom Role](/azure/role-based-access-control/custom-roles) may be created and assigned to the VM.
+The simplest option (with sufficient access rights) is to assign the `Contributor` and `Storage Blob Data Contributor` roles for the Subscription to the CycleCloud VM as a System-Assigned Managed Identity.  However, the `Contributor` Role has a higher privilege level than CycleCloud requires.  A [custom Role](/azure/role-based-access-control/custom-roles) may be created and assigned to the VM. Similarly, the `Storage Blob Data Contributor` Role may be assigned at the Storage Account scope rather than subscription scope if the Storage Account has already been created.
 
 This role covers all CycleCloud features:
 

articles/cyclecloud/how-to/service-principals.md

@@ -2,19 +2,15 @@
 title: Using a Service Principal
 description: How to use a Service Principal with Azure CycleCloud.
 author: rokeptne
-ms.date: 02/05/2019
+ms.date: 01/27/2025
 ms.author: rokeptne
 ---
 
 # Using Service Principal
 
-An Azure AD Service Principal may be used to permission Azure CycleCloud to manage clusters in your subscription (as an alternative to using a [Managed Identity](managed-identities.md)).  
+An Azure AD Service Principal may be used to permission Azure CycleCloud to manage clusters in your subscription (as an alternative to using a [Managed Identity](managed-identities.md)).
 
-## Choosing between a Service Principal and a Managed Identity
-
-If CycleCloud will only manage clusters in a single subscription, then consider using a Managed Identity rather than a Service Principal.
-
-However, since CycleCloud can only use a single Managed Identity, using Service Principals is required when managing clusters in multiple subscriptions or tenants.
+It is generally recommended to use either a [System-Assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) or [User-Assigned Managed Identity](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#user-assigned-managed-identity) to grant those permissions rather than a Service Principal. 
 
 ## Create a Service Principal
 
@@ -45,8 +41,8 @@ However, the Contributor Role has a higher privilege level than CycleCloud requi
 
 The [Managed Identity Guide](managed-identities.md) has details on creating an appropriate lower-privilege AD Role for the Service Principal.
 
-To use a Service Principle to give permissions to CycleCloud, ensure that the "Manage Identity" checkbox is unchecked.
+To use a Service Principle to give permissions to CycleCloud, ensure that the "App Registration" radio button is selected.
 
 ::: moniker range=">=cyclecloud-8"
-![Add Subscription Managed Identities](../images/version-8/add-subscription-service-principle.png)
+![Add Subscription Managed Identities](../images/version-8/add-subscription-service-principle-8.7.png)
 ::: moniker-end

articles/cyclecloud/images/version-8/add-subscription-managed-identity.png renamed to articles/cyclecloud/images/version-8/add-subscription-managed-identity-8.6.png

@@ -50,11 +50,21 @@
           "Microsoft.Storage/*/read",
           "Microsoft.Storage/checknameavailability/read",
           "Microsoft.Storage/register/action",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+          "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
           "Microsoft.Storage/storageAccounts/read",
           "Microsoft.Storage/storageAccounts/listKeys/action",
           "Microsoft.Storage/storageAccounts/write"
         ],
-        "dataActions": [],
+        "dataActions": [
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
+        ],
         "notActions": [],
         "notDataActions": []
       }

articles/cyclecloud/images/version-8/add-subscription-managed-identity-8.7.png

@@ -107,7 +107,7 @@ You will then need to create a CycleCloud admin user for the application server.
 
 Once you have created your user, you may want to set your SSH key so that you can more easily access any Linux VMs created by CycleCloud. To add an SSH key, edit your profile by clicking on your name in the upper right hand corner of the screen.
 
-You will need to set up you Azure provider account in CycleCloud. You can either use [Managed Identities](./how-to/managed-identities.md) or [Service Principals](./how-to/service-principals.md).
+You will need to set up your Azure provider account in CycleCloud. You can either use [Managed Identities](./how-to/managed-identities.md) or [Service Principals](./how-to/service-principals.md).
 
 You should now have a running CycleCloud application that allows you to create and run clusters.