d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
c3d4c786fa73f26c0e4aebbcc2e1539f5f21e8aa
smom-dbis-138/docs/archive/status-reports/phase1-old/PERMISSIONS_AND_STATUS.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

3.6 KiB
Raw Blame History

Permissions and Status Report

Summary

Completed

  1. Genesis Upload to Storage: Successfully uploaded to Azure Storage
    • URL: https://azpcusvmbp7dfbc1.blob.core.windows.net/config/genesis-138.json
    • Method: Used storage account key (no special permissions needed)

Pending (Permissions Required)

1. Key Vault Upload

  • Status: Blocked by firewall
  • Error: ForbiddenByFirewall - Client address not authorized
  • Current IP: 206.170.208.82 (IPv4)
  • Solution Options:
    1. Add IP to Key Vault firewall rules
    2. Enable "Allow Azure Services" in Key Vault network settings
    3. Use Managed Identity from within Azure (VM, Function App, etc.)
    4. Use Azure Bastion or VPN to access from authorized network

Command to add IP (requires Key Vault Contributor role):

az keyvault network-rule add \
  --name az-p-wst-kv-secrets-001 \
  --ip-address 206.170.208.82

Or enable Azure Services:

az keyvault update \
  --name az-p-wst-kv-secrets-001 \
  --bypass AzureServices \
  --default-action Allow

2. Besu Node Configuration

  • Status: Scripts ready, testing Azure Run Command
  • Method: Using Azure VM Run Command (no SSH needed)
  • Access: Requires "Virtual Machine Contributor" role or equivalent
  • Current Status: Script created, testing execution

Required Permissions

For Genesis Upload

Storage Account

  • No special permissions needed - Using storage account key
  • Alternative: "Storage Blob Data Contributor" role

Key Vault

  • Key Vault Secrets Officer role
  • Network access (firewall rules or Azure Services bypass)

For Besu Configuration

Azure VM Run Command

  • Virtual Machine Contributor role (or equivalent)
  • Microsoft.Compute/virtualMachines/runCommand/action permission

Alternative: SSH Access

  • SSH access to VMs (private IPs require VPN/Bastion)
  • Sudo access on VMs

Current Access Status

VMs

  • Nginx Proxy: Accessible via SSH (public IP: 20.160.58.99)
  • Backend VMs: Not accessible via SSH (private IPs, need VPN/Bastion)
  • Azure Run Command: Testing (should work with proper permissions)

Storage

  • Accessible - Genesis uploaded successfully

Key Vault

  • Blocked - Firewall rules need configuration

Next Steps

  1. Configure Key Vault Network Access:

    • Add current IP to firewall rules, OR
    • Enable Azure Services bypass

  2. Complete Besu Configuration:

    • Verify Azure Run Command permissions
    • Execute configuration script
    • Verify all 5 nodes are running

  3. Verify Deployment:

    • Check Besu logs
    • Test RPC endpoints
    • Verify genesis file loaded correctly

Commands to Fix Permissions

Key Vault - Add IP to Firewall

az keyvault network-rule add \
  --name az-p-wst-kv-secrets-001 \
  --ip-address 206.170.208.82

Key Vault - Enable Azure Services (Alternative)

az keyvault update \
  --name az-p-wst-kv-secrets-001 \
  --bypass AzureServices \
  --default-action Allow

Check Current Permissions

# Check role assignments
az role assignment list \
  --assignee $(az account show --query user.name -o tsv) \
  --all \
  --query "[?contains(roleDefinitionName, 'Key Vault') || contains(roleDefinitionName, 'Storage') || contains(roleDefinitionName, 'Virtual Machine')].{Role:roleDefinitionName,Scope:scope}" \
  -o table

# Check Key Vault network rules
az keyvault show \
  --name az-p-wst-kv-secrets-001 \
  --query "properties.networkAcls" \
  -o json

Status: Genesis uploaded to Storage. Key Vault and Besu configuration pending permissions/network access.

Reference in New Issue View Git Blame Copy Permalink