Configure Azure CLI

This guide will walk you through configuring the Azure CLI (az) for your Azure account.

What You’ll Need

Here is what you’ll need based on the Azure identity type you want to log in with and the authentication method.

  • An Azure account and subscription.
  • An existing management environment.
  • A user identity with Owner privileges. Alternatively, if you have already created all required resources, you can use a user identity with Reader privileges to verify them.
  • A user password.
  • An Azure account and subscription.
  • An existing management environment.
  • A service principal with Owner privileges. Alternatively, if you have already created all required resources, you can use a service principal with Reader privileges to verify them.
  • The application ID of the service principal.
  • The ID of the tenant associated with the service principal.
  • The service principal password.
  • An Azure account and subscription.
  • An existing management environment.
  • A service principal with Owner privileges. Alternatively, if you have already created all required resources, you can use a service principal with Reader privileges to verify them.
  • The application ID of the service principal.
  • The ID of the tenant associated with the service principal.
  • The X509 certificate of the service principal in PEM format.

Procedure

  1. Switch to your management environment and log in either interactively as a user or using a service principal. Choose one of the following options based on your configuration:

    1. Log in to Azure:

      root@rok-tools:~# az login To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate.
    2. Open your browser, go to https://microsoft.com/devicelogin and enter the authorization code displayed in your terminal.

    3. Sign in with your user credentials in the browser.

    4. Switch back to your management environment and retrieve the ID of your logged in user:

      root@rok-tools:~# export AZ_IDENTITY=$(az ad signed-in-user show --query id -o tsv)
    1. Provide the application ID of the service principal:

      root@rok-tools:~# export AZ_IDENTITY=<ID>

      Replace <ID> with the application ID, for example:

      root@rok-tools:~# export AZ_IDENTITY="00000000-0000-0000-0000-000000000000"
    2. Provide the tenant ID of the service principal:

      root@rok-tools:~# export AZ_TENANT_ID=<ID>

      Replace <ID> with the tenant ID, for example:

      root@rok-tools:~# export AZ_TENANT_ID="00000000-0000-0000-0000-000000000000"
    3. Log in to Azure and provide the password when prompted:

      root@rok-tools:~# az login \ > --service-principal \ > --username ${AZ_IDENTITY?} \ > --tenant ${AZ_TENANT_ID?} Password: [ { "cloudName": "AzureCloud", "homeTenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "id": "a8eb0222-2657-4a68-ae60-f06536139029", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "user": { "name": "0582413e-8670-4817-885e-e8025e956cf7", "type": "servicePrincipal" } } ]
    1. Provide the application ID of the service principal:

      root@rok-tools:~# export AZ_IDENTITY=<ID>

      Replace <ID> with the application ID, for example:

      root@rok-tools:~# export AZ_IDENTITY="00000000-0000-0000-0000-000000000000"
    2. Provide the tenant ID of the service principal:

      root@rok-tools:~# export AZ_TENANT_ID=<ID>

      Replace <ID> with the tenant ID, for example:

      root@rok-tools:~# export AZ_TENANT_ID="00000000-0000-0000-0000-000000000000"
    3. Provide the path to the file holding the private key and certificate for your service principal:

      root@rok-tools:~# export AZ_CERTIFICATE_PATH=<PATH>

      Replace <PATH> with the path to your certificate, for example:

      root@rok-tools:~# export AZ_CERTIFICATE_PATH=/path/to/certificate.pem
    4. Log in to Azure:

      root@rok-tools:~# az login \ > --service-principal \ > --username ${AZ_IDENTITY?} \ > --tenant ${AZ_TENANT_ID?} \ > --password $(realpath ${AZ_CERTIFICATE_PATH?}) [ { "cloudName": "AzureCloud", "homeTenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "id": "a8eb0222-2657-4a68-ae60-f06536139029", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "user": { "name": "2b24f971-9962-4de9-a9d0-c31e2e9183b4", "type": "servicePrincipal" } } ]

    Important

    Do not delete or rename the certificate because az expects to always find it under the given path.

  2. Find your current active subscription. The rest of the installation guide assumes that you will be using this subscription when you create resources via the Azure portal. We will refer to it as your desired subscription:

    root@rok-tools:~# az account show --query name -o tsv Azure subscription
  3. Store the ID of your desired subscription so you can retrieve it later:

    root@rok-tools:~# export SUBSCRIPTION_ID=$(az account show --query id -o tsv)
  4. Add the aks-preview extension:

    root@rok-tools:~# az extension add --name aks-preview
  5. Update the aks-preview extension to the latest version available:

    root@rok-tools:~# az extension update --name aks-preview

Verify

  1. Verify you have successfully signed in to your account:

    root@rok-tools:~# az account show { "environmentName": "AzureCloud", "homeTenantId": "b478f816-f0bc-49db-aca1-57aae4be5493", "id": "700556b9-3e58-4978-9cd4-6cb3d7310e03", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "b478f816-f0bc-49db-aca1-57aae4be5493", "user": { "name": "jdoe@example.com", "type": "user" } }
  2. List the role assignments of your identity at the subscription level. Ensure you have an assignment for the Owner role. Alternatively, if you have already created the resources required to deploy Rok and plan to only verify them, an assignment for the Reader role is adequate:

    root@rok-tools:~# az role assignment list \ > --assignee ${AZ_IDENTITY?} \ > --scope "/subscriptions/${SUBSCRIPTION_ID?}" \ > --include-groups \ > --include-inherited \ > -o table Principal Role Scope ------------------------------------ ------ --------------------------------------------------- 0582413e-8670-4817-885e-e8025e956cf7 Owner /subscriptions/a8eb0222-2657-4a68-ae60-f06536139029

    Troubleshooting

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to list role assignments.

    To proceed, contact your administrator to grant either Owner or Reader permissions to your identity.

  3. Verify you can access Azure Kubernetes Service:

    root@rok-tools:~# az aks list []

Summary

You have successfully configured the Azure CLI for your account in your management environment.

What’s Next

The next step is to set up your cloud environment.