mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
docs: adjust MAA updating (#3152)
* docs: adjust MAA updating * versioned-docs: backport fix
This commit is contained in:
parent
94cf85c65a
commit
7d4e7eff65
@ -188,7 +188,7 @@ Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -208,7 +208,7 @@ The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
|
||||
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -226,8 +226,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
|
||||
|
||||
:::info
|
||||
|
||||
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
|
||||
On Azure, a manual update to the MAA provider's policy is necessary.
|
||||
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
|
||||
|
||||
```bash
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -55,7 +55,7 @@ management tooling of your choice. You need to keep the essential functionality
|
||||
|
||||
:::info
|
||||
|
||||
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
|
||||
On Azure, a manual update to the MAA provider's policy is necessary.
|
||||
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestationURL | jq -r)`, when using the minimal Terraform configuration).
|
||||
|
||||
```bash
|
||||
|
@ -114,7 +114,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -134,7 +134,7 @@ The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
|
||||
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -152,8 +152,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
|
||||
|
||||
:::info
|
||||
|
||||
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
|
||||
On Azure, a manual update to the MAA provider's policy is necessary.
|
||||
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
|
||||
|
||||
```bash
|
||||
|
@ -114,7 +114,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -134,7 +134,7 @@ The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
|
||||
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -152,8 +152,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
|
||||
|
||||
:::info
|
||||
|
||||
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
|
||||
On Azure, a manual update to the MAA provider's policy is necessary.
|
||||
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
|
||||
|
||||
```bash
|
||||
|
@ -188,7 +188,7 @@ Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -208,7 +208,7 @@ The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md), you need the following permissions:
|
||||
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -226,8 +226,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -56,7 +56,7 @@ management tooling of your choice. You need to keep the essential functionality
|
||||
|
||||
:::info
|
||||
|
||||
On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary.
|
||||
On Azure, a manual update to the MAA provider's policy is necessary.
|
||||
You can apply the update with the following command after creating the infrastructure, with `<URL>` being the URL of the MAA provider (i.e., `$(terraform output attestation_url | jq -r)`, when using the minimal Terraform configuration).
|
||||
|
||||
```bash
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can try [MiniConstellation](first-st
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -144,8 +144,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
@ -109,7 +109,7 @@ If you don't have a cloud subscription, you can also set up a [local Constellati
|
||||
<tabItem value="azure" label="Azure">
|
||||
|
||||
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
|
||||
* `Microsoft.Attestation` \[2]
|
||||
* `Microsoft.Attestation`
|
||||
* `Microsoft.Compute`
|
||||
* `Microsoft.Insights`
|
||||
* `Microsoft.ManagedIdentity`
|
||||
@ -127,7 +127,7 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
|
||||
The built-in `Owner` role is a superset of these permissions.
|
||||
|
||||
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
|
||||
* `Microsoft.Attestation/attestationProviders/*` \[2]
|
||||
* `Microsoft.Attestation/attestationProviders/*`
|
||||
* `Microsoft.Compute/virtualMachineScaleSets/*`
|
||||
* `Microsoft.Insights/components/*`
|
||||
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
|
||||
@ -145,8 +145,6 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
|
||||
|
||||
1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
|
||||
|
||||
2: You can omit `Microsoft.Attestation/attestationProviders/*` and the registration of `Microsoft.Attestation` if `EnforceIDKeyDigest` isn't set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
|
||||
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP">
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user