Creating a UMS group and machine users
This procedure ensures that the CDP machine user gets permission to access the tenant bucket.
Repeat the following steps for each tenant:
-
In Management Console, User Management > Groups, click CREATE GROUP and create a User Management Service (UMS)
group, for example group-tenant-1.
-
In Groups > Members, search for and select your srv_machine_<env
id>_storage_role to add this UMS machine user to
group-tenant-1.
- In Management Console > Environments, select an environment, and click Actions > Manage Access > IDBroker Mappings > Edit.
-
Click + to add a mapping, select the Group-tenant-1 and
Role-tenant-1, and specify the complete managed
identity. For example:
/subscriptions/<subsciption_id>/resourcegroups/<resource_group>providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
-
Synchronize your group changes with FreeIPA by performing a user sync per
environment: In the RAZ-enabled environment, click Actions > Synchronize Users to FreeIPA.
The UMS machine user gets the permission to access the tenant-specific container.