jialigit
commented
2 years ago | Output report and progress | Azure service | Role for core | Role for health indicator | Need refactor |
|---|---|---|---|---|
| Cosmos DB | Cosmos DB Built-in Data Contributor | as data plane | update code and doc | |
| Event Hubs | Storage Account Contributor, Storage Blob Data Owner, Azure Event Hubs Data Owner | as data plane | x | |
| Key Vault Certificate | certificate permissions: get, set, delete | as data plane | x | |
| Key Vault Secret | secret_permissions:get,set,delete,list,purge | as data plane | x | |
| Storage Blob | Storage Queue Data Contributor | Storage Account Contributor | fixing code | |
| Storage File Share | Not Supported | Not Supported | x | |
| Storage Queue | Storage Queue Data Contributor | Storage Account Contributor | update doc |
Storage Queue health indicator uses an operation which needs Storage Account Contributor role, we provide this information in the according docs.
Cosmos health indicator need the option of "spring.cloud.azure.cosmos.databse" to be configured correctly, we provide the information in the according docs.
Context
As per our reference doc, we provide health indicator feature for Azure services. However, detail information about how to use this feature is not enough, and also we are not explicitly telling users whether or not specific permission is needed to enable this feature. For example, in this issue about the storage account blob health indicator using, we figure out that it also need extra permission except for the one to do blob data actions.
Goal
Check each Azure service we provide, and verify each Azure service we provide in the Spring Cloud Azure that the permission is enough or not. Keep the health-endpoint uses the minimum permission same as the data operation.
Solution