Using Microsoft Azure with Juju - advanced

This page is dedicated to more advanced topics related to using Microsoft Azure with Juju. The main page is here.

Manually adding Azure credentials

The manual option is useful if Juju fails to automatically gather your credentials, or if you want to automate the process.

Gathering values

We will need values for the following bits of information:

  • subscription id
  • application name
  • application id
  • tenant id
  • application password

In the sections below, we will assign each of these a variable name. When you enter them into the command, replace the variable name we give with the actual ID that corresponds to the variable.

This process requires the Azure CLI tool to be installed and used to successfully log in to Azure prior to Juju configuration. See Install the CLI tool and Log in to Azure respectively.

subscription id

List your account and take note of the subscription ID, the SUB_ID.

az account list

It will appear on the line labelled id:

  {
    "cloudName": "AzureCloud",
    "id": "27dcbd27-c935-43f4-a1b5-123456722c00",
    "isDefault": false,
    "name": "Microsoft Azure Enterprise",
    "state": "Enabled",
    "tenantId": "558ac724-0c20-4c6b-ab00-12345679b6f0",
    "user": {
      "name": "javierlarin72@gmail.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "bef58c0a-6fca-489d-8297-12345677f276",
    "isDefault": true,
    "name": "Pay-As-You-Go(Converted to EA)",
    "state": "Enabled",
    "tenantId": "558ac724-0c20-4c6b-ab00-12345679b6f0",
    "user": {
      "name": "javierlarin72@gmail.com",
      "type": "user"
    }
  }
]

In this example, there is a Pay-As-You-Go (PAYG) subscription that has been converted to an Enterprise Agreement (EA), which refers to the other stanza (Microsoft Azure Enterprise). It seems we should always choose the PAYG subscription id, so:

SUB_ID=bef58c0a-6fca-489d-8297-12345677f276

application name

You will need to come up with an arbitrary application name (typically an internet URL). In our example:

APP_NAME=http://ubuntu.example.com

Now create an Active Directory (Kerberos) service principal and assign it a role of Owner:

az ad sp create-for-rbac --name "$APP_NAME" --role Owner

The command output will be similar to the following:

{
  "appId": "c07fd75f-dc07-47a1-87ed-123456731897",
  "displayName": "azure-cli-2019-05-22-02-01-44",
  "name": "http://ubuntu.example.com",
  "password": "76ab0f15-4d2e-4dd8-abca-1234567325d5",
  "tenant": "558ac724-0c20-4c6b-ab00-12345679b6f0"
}

For more in-depth information, see Microsoft’s Azure CLI documentation on Role-Based Access Control (RBAC) and the above commmand’s syntax.

application id, tenant id, and application password

From the previous output we obtain the following values for application-id, tenant-id, and application-password:

APP_ID=c07fd75f-dc07-47a1-87ed-123456731897
TENANT_ID=558ac724-0c20-4c6b-ab00-12345679b6f0
APP_PASSWORD=76ab0f15-4d2e-4dd8-abca-1234567325d5

Verification of values

You can verify the values we’ve collected by logging in using the application principal as your identity:

az login --service-principal -u "$APP_NAME" -p "$APP_PASSWORD" --tenant "$TENANT_ID"

Command output will look similar to the following:

  {
    "cloudName": "AzureCloud",
    "id": "bef58c0a-6fca-489d-8297-12345677f276",
    "isDefault": true,
    "name": "Pay-As-You-Go(Converted to EA)",
    "state": "Enabled",
    "tenantId": "558ac724-0c20-4c6b-ab00-12345679b6f0",
    "user": {
      "name": "http://ubuntu.example.com",
      "type": "servicePrincipal"
    }
  }
]

Add credentials

Credential information can now be placed into a YAML file and used with a client. Here, we’ve assigned a credential name of ‘jlaurin’:

credentials:
  azure:
    jlaurin:
      auth-type: service-principal-secret
      application-id: c07fd75f-dc07-47a1-87ed-123456731897
      subscription-id: bef58c0a-6fca-489d-8297-12345677f276
      application-password: 76ab0f15-4d2e-4dd8-abca-1234567325d5

To add credential ‘jlaurin’, assuming the configuration file is creds.yaml in the current directory, we would run:

juju add-credential azure -f creds.yaml

Next steps

You should now continue reading the main Using Microsoft Azure with Juju page at the controller-creation step.

If you add more than one credential you will need to either specify one while creating the controller (juju bootstrap --credential) or set a default (juju set-default-credential) before doing so.

1 Like

With the Azure environments we run, we’re seeing constant credentials renewal and it seems like a pain to do, especially given we have 30 something and they’re all using JAAS.

With ‘az ad sp create-for-rbac’, there is an option to specify years:

Credential Arguments
–years : Number of years for which the credentials will be valid. Default: 1 year.

Perhaps best practice to recommend something a lot longer? This helps improve user experience with not having to find environment read-only because credentials have expired.