Connecting with Microsoft Azure cloud accounts
You can connect one or more Microsoft Azure subscriptions with IBM Guardium AI Security by using an Azure cloud shell script to provide access to your cloud environment and thereby discover AI deployments across the subscriptions.
Before you begin
AI Security This functionality is available only with the Guardium AI Security application.
Verify that you have the following items:
- List of Azure subscriptions to be connected to Guardium AI Security
- An Azure user with the permission to create the relevant service principal
For more information about the service principal, see Results.
Additionally, when you try to connect a Microsoft Azure account to Guardium AI Security, a Custom role is created during the connection. After the connection of Guardium AI Security with Microsoft Azure, we are using the default Reader role and the newly created Custom role Reader role to discover the AI deployments.
The following permissions are required to authorize the initial connection:
- Global admin role for the Microsoft Azure tenant
- Built-in owner role per Microsoft Azure subscription
The following permissions are required to access Azure deployments:
- Reader role
- Scans and monitors the metadata of the AI deployments that Guardium AI Security discovers. It is a read-only role with no edit permission.
- Custom role
- Gathers information about the discovered AI deployments in the connected Azure subscriptions.
The Custom role has the following permissions to access the metadata regarding AI deployments in the
connected Azure subscriptions:
- Microsoft.CognitiveServices/accounts/read to read the Azure OpenAI keys metadata
- Microsoft.CognitiveServices/accounts/listKeys/action to use the OpenAI API
Use the following steps to connect Guardium AI Security with one or more Azure cloud accounts: