Client Cloud-Access Authorization (SKELETON — counsel review required)
NOT legal advice. Structural skeleton + clause checklist for counsel. This is the most SnowOps-specific document: it must model the Identity > Secrets, least-privilege, time-boxed posture SnowOps sells — consistent with G0 (the read-only audit SP) and the B-series (the B2 deploy SP).
Purpose
Authorizes SnowOps to access {{CLIENT}}'s Azure tenant for a defined purpose, scope, and duration — and documents that access for the client's own audit trail.
Key clauses (brief for counsel)
1. Scope of access (least privilege — two tiers)
- Discovery / audit phase (read-only): Reader + Security Reader only, at a named scope (subscription/MG). No write, no key-listing, no data-plane access. Implemented as a time-boxed federated credential — no client secret leaves the client tenant (G0). The client can revoke at any time.
- Delivery phase (deploy): a federated-OIDC service principal (B2) with the minimum role set the SOW requires (e.g., Contributor at a named scope; data roles only where needed). No long-lived client secret — federation only. Privileged roles are PIM-eligible (just-in-time), not standing (B5/H3).
2. Time-boxing & expiry
- Each grant has an explicit expiry; access auto-expires (federated cred / PIM eligibility) and is re-authorized in writing if extended.
3. No secrets
- SnowOps will not create or hold long-lived client cloud credentials. Authentication is federated OIDC throughout (the posture SnowOps deploys).
4. Audit & transparency
- Every access is logged (client-side Azure logs + SnowOps's immutable run log, G6). The client receives the access scope + duration in writing.
5. Revocation
- The client may revoke any grant immediately; SnowOps acknowledges and ceases access. Revocation does not breach the SOW (delivery may pause).
6. Purpose limitation
- Access is used only for the authorized purpose (audit / the SOW's deliverables) — no other workloads, no data exfiltration, read-only stays read-only.
7. Personnel
- Named SnowOps personnel only; access is not shared; offboarding revokes access.
Schedule (fill per engagement)
| Field | Value |
|---|---|
| Client / tenant | {{CLIENT}} / {{TENANT_ID}} |
| Phase | Discovery (read-only) / Delivery (deploy) |
| Scope | {{subscription/MG}} |
| Roles | {{Reader+Security Reader / Contributor + named data roles}} |
| Auth | Federated OIDC (no secret) |
| Privileged access | PIM-eligible, JIT |
| Grant start / expiry | {{date}} / {{date}} |
| Authorized by (client) | {{name, title}} |
Consistency check: roles + auth above match G0 (audit) / B2 (deploy) / H3+B5 (PIM). Counsel + Nidhi review before use.