OneFuzz makes use of Managed identities both in the API service as well as the managed VMs.
There are currently two uses of Managed Identities within OneFuzz:
-
The API service manages the full lifecycle of VMs, VM Scalesets, and Networks in use in OneFuzz. In order to enable this, the service must have appropriate role assignments permissions to manage these resources. At the moment, the role assignments granted to the OneFuzz API are:
See azuredeploy.json for the specific implementation of these role assignments.
or
See azuredeploy.bicep for the specific implementation of these role assignments.
-
VMs created by OneFuzz are created using the Managed Identities without roles assigned in order to enable the OneFuzz agent running in the VMs to authenticate to the service itself.