Overcast will consume billing data and metrics coming from your Azure subscriptions using a permissions delegation model.

What this means is that Overcast requires that you login with an Organizational (Azure AD) or Personal (Microsoft) user account. Overcast then uses the permission delegation to impersonate your user and access your Azure resources. That means that it will have the same access on Azure resources as the user who is logged in. 

Required permissions

Overcast requires a user with the Reader Azure role definition on your subscriptions The Reader role only gives access to the control-plane on Azure. As such, this role does not grant any access to your data-plane (ex: data stored inside SQL databases or in storage accounts blobs or tables).

From a technical point of view, Overcast uses the Azure REST APIs to connect on your behalf and perform queries. These queries are performed against the Billing APIs as well as the various resources that are analyzed in order to determine recommendations on how to reduce costs.

How to grant permissions

Step 1: Go to the Azure portal and list your tenant Subscriptions.

Step 2:
Select a subscription that you want Overcast to analyze, then select the Access control (IAM) screen.

Step 3: Add a new role, then select the reader role. Choose the Active Directory account you want to associate with the role and save.

Read more on Microsoft Azure role-based access controls here.

Creating a dedicated account

If you wish, you can create a dedicated user account to access Overcast with a restricted set of permissions. While this has the additional burden of requiring to manage a separate set of permissions, it can limit what actions Overcast can take in your environment.

Currently, Overcast only uses Azure's Reader scope to recover billing and resource information. In the future, however, new features may required additional permissions in order to be used. At this time however, there are no plans to add such features.

In all cases, any actions that are taken to modify Azure in any way would be fully documented in Azure's audit log.

Additional concerns

Any additional questions or concerns with authorizations for Overcast should be directed to our support team. They will be happy to help in any way possible. We take security very seriously at Overcast and make it a top priority for our entire team.

Did this answer your question?