Create Storage Account (Azure only)

This section will guide you through creating an Azure Storage Account for Rok to store its snapshot data.

Fast Forward

If you are deploying EKF on Google Cloud or AWS, skip this guide and proceed to the What’s Next section.

What You’ll Need

Procedure

  1. Switch to your management environment and define the following alias to sanitize components of the storage account name Rok will use:

    root@rok-tools:~# alias sanitize="tr -cd '[:alnum:]' | tr '[:upper:]' '[:lower:]'"
  2. Sanitize the subscription ID:

    root@rok-tools:~# export STORAGE_ACCOUNT_SID=$(echo ${SUBSCRIPTION_ID?} | sanitize)
  3. Sanitize the resource group:

    root@rok-tools:~# export STORAGE_ACCOUNT_RGRP=$(echo ${AZ_RESOURCE_GROUP?} | sanitize)
  4. Sanitize the AKS cluster name:

    root@rok-tools:~# export STORAGE_ACCOUNT_CLUSTER=$(echo ${AKS_CLUSTER?} | sanitize)
  5. Create the name of the storage account your Rok cluster will use:

    root@rok-tools:~# export STORAGE_ACCOUNT_NAME="rok${STORAGE_ACCOUNT_SID:0:7}${STORAGE_ACCOUNT_RGRP:0:7}${STORAGE_ACCOUNT_CLUSTER:0:7}"
  6. Ensure that the storage account does not already exist by verifying that the nameAvailable field of the output of the following command is equal to true:

    root@rok-tools:~# az storage account check-name --name ${STORAGE_ACCOUNT_NAME?} { "message": null, "nameAvailable": true, "reason": null }

    Troubleshooting

    The storage account already exists

    If the nameAvailable field in the above output is equal to false, then a storage account with that name already exists. In this case, proceed to the Verify section to determine if you can use this storage account for your Rok installation.

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/checkNameAvailability/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to check the availability of a storage account name.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

  7. Create the storage account:

    root@rok-tools:~# az storage account create \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${STORAGE_ACCOUNT_NAME?} \ > --location ${AZURE_DEFAULTS_LOCATION?} \ > --kind StorageV2 \ > --tags subscription_id=${SUBSCRIPTION_ID?} \ > resource_group=${AZ_RESOURCE_GROUP?} \ > aks_cluster_name=${AKS_CLUSTER?} { "accessTier": "Hot", ... "id": "/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto", ... "kind": "StorageV2", ... "location": "eastus", ... "name": "roka8eb022arriktoarrikto", ... "primaryEndpoints": { "blob": "https://roka8eb022arriktoarrikto.blob.core.windows.net/", ... }, "primaryLocation": "eastus", ... "provisioningState": "Succeeded", "resourceGroup": "arrikto", ... "secondaryEndpoints": { "blob": "https://roka8eb022arriktoarrikto-secondary.blob.core.windows.net/", ... }, "secondaryLocation": "westus", "sku": { "name": "Standard_RAGRS", "tier": "Standard" }, "statusOfPrimary": "available", "statusOfSecondary": "available", "tags": { "aks_cluster_name": "arrikto-cluster", "resource_group": "arrikto", "subscription_id": "a8eb0222-2657-4a68-ae60-f06536139029" "type": "Microsoft.Storage/storageAccounts" }

    Troubleshooting

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to create a storage account.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to create the storage account for you.

Verify

  1. Display the storage account:

    root@rok-tools:~# az storage account show \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${STORAGE_ACCOUNT_NAME?} \ > -o table AccessTier CreationTime EnableHttpsTrafficOnly Kind Location Name PrimaryLocation ProvisioningState ResourceGroup SecondaryLocation StatusOfPrimary StatusOfSecondary ------------ -------------------------------- ------------------------ --------- ---------- ------------------------ ----------------- ------------------- --------------- ------------------- ----------------- ------------------- Hot 2021-07-13T14:15:03.525036+00:00 True StorageV2 eastus roka8eb022arriktoarrikto eastus Succeeded arrikto westus available available

    Troubleshooting

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to retrieve a storage account.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

  2. Verify that the storage account you created earlier is in the above table, its Kind is StorageV2, and belongs to the expected resource group, location and subscription.

  3. Verify that the storage account has correct tags:

    1. Retrieve the subscription_id tag of the storage account:

      root@rok-tools:~# az storage account show \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${STORAGE_ACCOUNT_NAME?} \ > --query tags.subscription_id \ > --output tsv a8eb0222-2657-4a68-ae60-f06536139029

      Troubleshooting

      The command failed with an authorization error

      If the above command fails with an error message similar to the following:

      (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto' or the scope is invalid. If access was recently granted, please refresh your credentials.

      it means that your identity does not have sufficient permissions to retrieve a storage account.

      To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

    2. Display your desired subscription:

      root@rok-tools:~# echo ${SUBSCRIPTION_ID?} a8eb0222-2657-4a68-ae60-f06536139029
    3. Ensure that the two values above match.

    4. Retrieve the resource_group tag of the storage account:

      root@rok-tools:~# az storage account show \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${STORAGE_ACCOUNT_NAME?} \ > --query tags.resource_group \ > --output tsv arrikto

      Troubleshooting

      The command failed with an authorization error

      If the above command fails with an error message similar to the following:

      (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto' or the scope is invalid. If access was recently granted, please refresh your credentials.

      it means that your identity does not have sufficient permissions to retrieve a storage account.

      To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

    5. Display your resource group:

      root@rok-tools:~# echo ${AZ_RESOURCE_GROUP?} arrikto
    6. Ensure that the two values above match.

    7. Retrieve the aks_cluster_name tag of the storage account:

      root@rok-tools:~# az storage account show \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${STORAGE_ACCOUNT_NAME?} \ > --query tags.aks_cluster_name \ > --output tsv arrikto-cluster

      Troubleshooting

      The command failed with an authorization error

      If the above command fails with an error message similar to the following:

      (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.Storage/storageAccounts/roka8eb022arriktoarrikto' or the scope is invalid. If access was recently granted, please refresh your credentials.

      it means that your identity does not have sufficient permissions to retrieve a storage account.

      To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

    8. Display the name of your AKS cluster:

      root@rok-tools:~# echo ${AKS_CLUSTER?} arrikto-cluster
    9. Ensure that the two values above match.

      Troubleshooting

      The storage account tags are missing

      If the storage account exists but its tags are missing then it either does not belong to a Rok cluster, or it belongs to a Rok cluster of version 1.3 or earlier. Go back to step 5 of the Procedure and select a new, unique name for the storage account by setting the STORAGE_ACCOUNT_NAME environment variable, and then proceed to create a new storage account with that name.

      The storage account tags do not match

      If the storage account tags exist but do not match the expected values for your cluster, then this storage account belongs to a different Rok installation. Go back to step 5 of the Procedure and select a new, unique name for the storage account by setting the STORAGE_ACCOUNT_NAME environment variable, and then proceed to create a new storage account with that name.

  4. Verify that the storage account has no containers:

    root@rok-tools:~# az storage container list \ > --account-name ${STORAGE_ACCOUNT_NAME?} \ > --auth-mode login []

    Troubleshooting

    Containers exist in the storage account

    If the storage account tags match but containers exist, then the storage account belongs to a previous installation of Rok in the same cluster. In this case, make sure you have followed the instructions in the Clean Up section to remove all resources belonging to your previous installation of Rok.

    The command failed with an authorization error

    If the above command fails with an error similar to the following:

    You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader" If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

    it means that your CLI does not have permissions to list the containers of a storage account.

    In this case, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

Summary

You have successfully created an Azure Storage Account for Rok.

What’s Next

The next step is to deploy Istio as the service mesh of your EKF cluster.