Configuring Principal Assignments for External Tenants in Kusto
TypeScriptWhen you want to configure principal assignments for external tenants in Kusto, it means you are setting up permissions for users or groups outside of your Azure Active Directory tenant to access Kusto databases or clusters (also known as Azure Data Explorer). This is essential for scenarios where you need to collaborate with partners or customers who have their own Azure AD tenants.
To do this in Pulumi with TypeScript, we'll use the
azure-native.kusto.DatabasePrincipalAssignment
resource from theazure-native
provider. This resource will allow us to associate a principal from an external tenant with a role on a Kusto database within our cluster.Below is a detailed explanation and Pulumi TypeScript code to create such a principal assignment:
-
Define the Kusto Cluster and Database: First, you need to have an existing Kusto cluster and database, or define new ones. However, in this demonstration, I will assume these resources are already created, and we will only focus on the principal assignment.
-
Create an External Tenant Identity: In most cases, the external principal's identity, such as a user or a group, will already exist in the external tenant. You will need the
objectId
of that identity, which is its unique identifier in Azure AD. -
Define the Principal Assignment: Using the
azure-native.kusto.DatabasePrincipalAssignment
resource, you will specify the necessary properties including the database and cluster names, the role to assign (like Viewer, User, Admin), theprincipalId
(the principal'sobjectId
from the external tenant), theprincipalType
, and thetenantId
of the external tenant. -
Assign the Role to the External Principal: With all the information in place, Pulumi will create the assignment and grant the specified role to the external principal on the Kusto database.
Let's move to the actual Pulumi program:
import * as pulumi from '@pulumi/pulumi'; import * as azure_native from '@pulumi/azure-native'; const resourceGroupName = "your-resource-group-name"; // Provide your Azure resource group name const clusterName = "your-kusto-cluster-name"; // Provide the name of your existing Kusto cluster const databaseName = "your-kusto-database-name"; // Provide the name of your existing Kusto database // Define a principal assignment for an external tenant const externalTenantPrincipalAssignment = new azure_native.kusto.DatabasePrincipalAssignment("externalTenantPrincipalAssignment", { // Information on the principal you are granting access to: principalId: "external-principal-object-id", // The object ID of the external principal principalType: "User", // The type of principal (User, Group, App, etc.) principalAssignmentName: "externalTenantPrincipalAssignment", // The name for the principal assignment // Information on your Kusto database where access will be granted: databaseName: databaseName, clusterName: clusterName, resourceGroupName: resourceGroupName, // Details of the role and external tenant: tenantId: "external-tenant-id", // The tenant ID of the external tenant role: "Viewer", // The role to assign to the external principal }); // Export the principal assignment ID export const principalAssignmentId = externalTenantPrincipalAssignment.id;
In this program:
resourceGroupName
,clusterName
, anddatabaseName
are variables that hold the names of the Azure resources. Replace the placeholder values with your actual resource group, cluster, and database names.externalTenantPrincipalAssignment
is the principal assignment resource where you set theprincipalId
to the external principal'sobjectId
. Update"external-principal-object-id"
with the actual ID of the principal from the external tenant.tenantId
is the ID of the external tenant; it must be replaced with the actual tenant ID for which you're configuring the access.- The
role
is set to"Viewer"
, but it can be any valid Kusto database role such as"User"
or"Admin"
depending on the level of access you want the external principal to have.
Remember to replace the placeholder values with actual data from your Azure environment and the external tenant's details. Once set, this code can be executed with Pulumi to configure the principal assignment in Kusto for an external tenant.
This level of configuration is quite powerful for enabling cross-tenant collaboration while maintaining granular control over access to Azure Data Explorer resources.
-