| title | description | author | ms.service | ms.topic | ms.author | ms.date | topic | keywords |
|---|---|---|---|---|---|---|---|---|
Using Azure Lockbox to authorize support access to Azure Red Hat OpenShift cluster resources. |
In this how-to article, learn how to use review support requests to access Azure Red Hat OpenShift cluster resources using Azure Lockbox. |
johnmarco |
azure-redhat-openshift |
how-to |
johnmarc |
03/23/2023 |
how-to |
azure, openshift, aro, red hat, lockbox |
In some circumstances, a support agent at Microsoft may need access to your OpenShift cluster resources. The Azure Lockbox feature works with Azure Redhat OpenShift to provide customers a way to review and approve or reject requests from Microsoft support to access their cluster resources. This ability can be important for financial, government, or other regulatory industries where there's extra scrutiny regarding access to resources.
With Azure Lockbox, whenever a support ticket is created, you have the ability to grant consent to Microsoft support agents to access your cluster resources. The actions that the support engineer can take are limited to those listed below. Azure Lockbox will tell you exactly what action the support agent is trying to execute.
See Customer Lockbox for more information about the Lockbox feature.
The Azure Lockbox workflow consists of the following main steps:
- A support ticket is opened from the Azure portal. The ticket is assigned to a customer support engineer at Microsoft.
- The customer support engineer reviews the request and determines the next steps to resolve the issue.
- When the request requires the support engineer to perform one of the actions listed below, a Lockbox request is initiated. The request is now in a Customer Notified state, waiting for the customer's approval before granting access.
- An email is sent from Microsoft to the customer, notifying them about the pending access request.
- The customer signs in to the Azure portal to view the Lockbox request and can Approve or Deny the request.
As a result of the selection:
- Approve: Access is granted to the Microsoft support engineer. The access is granted for a default period of eight hours.
- Deny: The elevated access request by the support engineer is rejected and no further action is taken.
See Customer Lockbox--workflow for another details about the access request process.
- The Lockbox feature works only with customer support tickets.
- Customers can only grant access through the Lockbox interface.
- No action can be taken until customer approval is granted.
You can enable Lockbox from the Administration module in the Customer Lockbox blade. Once you enable Lockbox, it will apply to all the ARO clusters in that subscription.
Note
To enable Customer Lockbox, the user account needs to have the Global Administrator role assigned.
The actions below require Lockbox authorization in order for a support engineer to proceed:
- Create Kubernetes object
- Update Kubernetes object
- Delete Kubernetes object
- Get logs from a pod in the OpenShift namespace
- List or get Kubernetes objects
Lockbox logs are stored in activity logs. In the Azure portal, select Activity Logs to view auditing information related to Customer Lockbox requests. See Customer Lockbox, Auditing Logs for more information.