Configure Azure CLI¶
This guide will walk you through configuring the Azure CLI (az
) for your
Azure account.
Fast Forward
If you have already configured the Azure CLI, expand this box to fast-forward.
Store your identity. Choose one of the following options depending on whether you have logged in as a user or as a service principal and whether you have used a password or a certificate.
root@rok-tools:~# export AZ_IDENTITY=$(az ad signed-in-user show --query objectId -o tsv)root@rok-tools:~# export AZ_IDENTITY=$(az account show --query user.name -o tsv)root@rok-tools:~# export AZ_IDENTITY=$(az account show --query user.name -o tsv)Store the ID of your active subscription:
root@rok-tools:~# export SUBSCRIPTION_ID=$(az account show --query id -o tsv)Proceed to the Verify section.
See also
Overview
What You’ll Need¶
Here is what you’ll need based on the Azure identity type you want to log in with and the authentication method.
- An Azure account and subscription.
- An existing management environment.
- A user identity with Owner privileges. Alternatively, if you have already created all required resources, you can use a user identity with Reader privileges to verify them.
- A user password.
- An Azure account and subscription.
- An existing management environment.
- A service principal with Owner privileges. Alternatively, if you have already created all required resources, you can use a service principal with Reader privileges to verify them.
- The application ID of the service principal.
- The ID of the tenant associated with the service principal.
- The service principal password.
- An Azure account and subscription.
- An existing management environment.
- A service principal with Owner privileges. Alternatively, if you have already created all required resources, you can use a service principal with Reader privileges to verify them.
- The application ID of the service principal.
- The ID of the tenant associated with the service principal.
- The X509 certificate of the service principal in PEM format.
Procedure¶
Switch to your management environment and log in either interactively as a user or using a service principal. Choose one of the following options based on your configuration:
Log in to Azure:
root@rok-tools:~# az login To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate.Open your browser, go to https://microsoft.com/devicelogin and enter the authorization code displayed in your terminal.
Sign in with your user credentials in the browser.
Switch back to your management environment and retrieve the ID of your logged in user:
root@rok-tools:~# export AZ_IDENTITY=$(az ad signed-in-user show --query objectId -o tsv)
Provide the application ID of the service principal:
root@rok-tools:~# export AZ_IDENTITY=<ID>Replace
<ID>
with the application ID, for example:root@rok-tools:~# export AZ_IDENTITY="00000000-0000-0000-0000-000000000000"Provide the tenant ID of the service principal:
root@rok-tools:~# export AZ_TENANT_ID=<ID>Replace
<ID>
with the tenant ID, for example:root@rok-tools:~# export AZ_TENANT_ID="00000000-0000-0000-0000-000000000000"Log in to Azure and provide the password when prompted:
root@rok-tools:~# az login \ > --service-principal \ > --username ${AZ_IDENTITY?} \ > --tenant ${AZ_TENANT_ID?} Password: [ { "cloudName": "AzureCloud", "homeTenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "id": "a8eb0222-2657-4a68-ae60-f06536139029", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "user": { "name": "0582413e-8670-4817-885e-e8025e956cf7", "type": "servicePrincipal" } } ]
Provide the application ID of the service principal:
root@rok-tools:~# export AZ_IDENTITY=<ID>Replace
<ID>
with the application ID, for example:root@rok-tools:~# export AZ_IDENTITY="00000000-0000-0000-0000-000000000000"Provide the tenant ID of the service principal:
root@rok-tools:~# export AZ_TENANT_ID=<ID>Replace
<ID>
with the tenant ID, for example:root@rok-tools:~# export AZ_TENANT_ID="00000000-0000-0000-0000-000000000000"Provide the path to the file holding the private key and certificate for your service principal:
root@rok-tools:~# export AZ_CERTIFICATE_PATH=<PATH>Replace
<PATH>
with the path to your certificate, for example:root@rok-tools:~# export AZ_CERTIFICATE_PATH=/path/to/certificate.pemLog in to Azure:
root@rok-tools:~# az login \ > --service-principal \ > --username ${AZ_IDENTITY?} \ > --tenant ${AZ_TENANT_ID?} \ > --password ${AZ_CERTIFICATE_PATH?} [ { "cloudName": "AzureCloud", "homeTenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "id": "a8eb0222-2657-4a68-ae60-f06536139029", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "efdf5ee9-f7db-4d0c-abba-0ed41f04ddbc", "user": { "name": "2b24f971-9962-4de9-a9d0-c31e2e9183b4", "type": "servicePrincipal" } } ]
Find your current active subscription. The rest of the installation guide assumes that you will be using this subscription when you create resources via the Azure portal. We will refer to it as your desired subscription:
root@rok-tools:~# az account show --query name -o tsv Azure subscriptionStore the ID of your desired subscription so you can retrieve it later:
root@rok-tools:~# export SUBSCRIPTION_ID=$(az account show --query id -o tsv)Add the
aks-preview
extension:root@rok-tools:~# az extension add --name aks-previewUpdate the
aks-preview
extension to the latest version available:root@rok-tools:~# az extension update --name aks-preview
Verify¶
Verify you have successfully signed in to your account:
root@rok-tools:~# az account show { "environmentName": "AzureCloud", "homeTenantId": "b478f816-f0bc-49db-aca1-57aae4be5493", "id": "700556b9-3e58-4978-9cd4-6cb3d7310e03", "isDefault": true, "managedByTenants": [], "name": "Azure subscription", "state": "Enabled", "tenantId": "b478f816-f0bc-49db-aca1-57aae4be5493", "user": { "name": "jdoe@example.com", "type": "user" } }List the role assignments of your identity at the subscription level. Ensure you have an assignment for the
Owner
role. Alternatively, if you have already created the resources required to deploy Rok and plan to only verify them, an assignment for theReader
role is adequate:root@rok-tools:~# az role assignment list \ > --assignee ${AZ_IDENTITY?} \ > --scope "/subscriptions/${SUBSCRIPTION_ID?}" \ > --include-groups \ > --include-inherited \ > -o table Principal Role Scope ------------------------------------ ------ --------------------------------------------------- 0582413e-8670-4817-885e-e8025e956cf7 Owner /subscriptions/a8eb0222-2657-4a68-ae60-f06536139029Troubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to list role assignments.
To proceed, contact your administrator to grant either
Owner
orReader
permissions to your identity.Verify you can access Azure Kubernetes Service:
root@rok-tools:~# az aks list []