Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to Azure with crossplane #342

Open
Naresh240 opened this issue Jun 17, 2022 · 4 comments
Open

Unable to connect to Azure with crossplane #342

Naresh240 opened this issue Jun 17, 2022 · 4 comments

Comments

@Naresh240
Copy link

Naresh240 commented Jun 17, 2022
edited

I have followed these steps to create service principal

az ad sp create-for-rbac --name crossplane --role "Owner" --scopes /subscriptions/81e17b47-6b2f-472a-be80-f33bcc47d9fd > crossplane-azure-provider-key.json

export AZURE_CLIENT_ID=c0d6244f-a92c-4b7f-a8fc-348e88d5ecc7

# add required Azure Active Directory permissions
az ad app permission add --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --api-permissions 1cda74f2-2616-4834-b122-5cb1b07f8a59=Role 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175=Role

# grant (activate) the permissions
az ad app permission grant --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --scope /subscriptions/81e17b47-6b2f-472a-be80-f33bcc47d9fd

az ad app permission admin-consent --id "${AZURE_CLIENT_ID}"

BASE64ENCODED_AZURE_ACCOUNT_CREDS=$(base64 crossplane-azure-provider-key.json | tr -d "\n")

Running below yaml file under k3d cluster to create Resource Group:

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-azure
spec:
  package: crossplane/provider-azure:master
  
---
apiVersion: v1
kind: Secret
metadata:
  name: azure-account-creds
  namespace: crossplane-system
type: Opaque
data:
  credentials: ewogICJhcHBJZCI6ICJjMGQ2MjQ0Zi1hOTJjLTRiN2YtYThmYy0zNDhlODhkNWVjYzciLAogICJkaXNwbGF5TmFtZSI6ICJjcm9zc3BsYW5lIiwKICAicGFzc3dvcmQiOiAiYnBtOFF+T1JzaDZ1bEkweWNwTnFOVzI1ak1uNk9VeFpNVTJ+dWN6RiIsCiAgInRlbmFudCI6ICIwYzg1ZmQ2Mi00MWMxLTRjZjktYjA3Mi00YTM2YTIzNzEyYTQiCn0K
  
---
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: azure-provider
  namespace: crossplane-system
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: azure-account-creds
      key: credentials

---
apiVersion: azure.crossplane.io/v1alpha3
kind: ResourceGroup
metadata:
  name: naresh-rg
spec:
  location: West US 2
  providerConfigRef:
    name: azure-provider

Facing below issue

image
@Naresh240 Naresh240 mentioned this issue Jun 17, 2022
Closed
@lioryantov
Copy link

lioryantov commented Jun 24, 2022
edited

I used following commands:
$ az ad sp create-for-rbac --sdk-auth --role Owner --name lypoc-crossplane --scopes /subscriptions/0000000/resourceGroups/lior-rg > "creds.json"

Then creds.json file looks like this:
$ cat creds.json
{
"clientId": "xxxxxx",
"clientSecret": "xxxxxxx",
"subscriptionId": "yyyyyyy",
"tenantId": "zzzzzzz",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
}

Then I performed reset to this SP :
$ az ad sp credential reset --years 30 --id "xxxxxxxx"

got following response and edited the clientSecret field content in creds.json file:
{
"appId": "xxxx",
"password": "xxxxxxx",
"tenant": "yyyyyy"
}

$ kubectl create secret generic azure-creds-jet -n crossplane-system --from-file=creds=./creds.json

$ cat controllerconfig.yaml
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
name: jet-azure-config
labels:
app: crossplane-provider-jet-azure
spec:
image: crossplane/provider-jet-azure-controller:v0.10.0-preview
args: ["-d"]

$ cat provider.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: crossplane-provider-jet-azure
spec:
package: crossplane/provider-jet-azure:v0.10.0-preview
controllerConfigRef:
name: jet-azure-config

$ kubectl apply -f provider.yaml
provider.pkg.crossplane.io/crossplane-provider-jet-azure created
$ kubectl apply -f controllerconfig.yaml
controllerconfig.pkg.crossplane.io/jet-azure-config created

$ cat provider-jet.yaml
apiVersion: azure.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: azure-jet-provider-config
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: azure-creds-jet
key: creds

$ kubectl apply -f provider-jet.yaml
providerconfig.azure.jet.crossplane.io/azure-jet-provider-config created

$ kubectl get crd | grep "crossplane" | wc -l
658

@Naresh240
Copy link
Author

Added below details in json file, then I am able to connecting to Azure from crossplane

"activeDirectoryEndpointUrl": "https://login.microsoftonline.com/",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"

Thank you...!!!!!!!!!

@lioryantov
Copy link

Great, happy I could help you.

@bluedog13
Copy link

bluedog13 commented Sep 14, 2022
edited

The below command is deprecated. I get error when I try to run this command. The recommended approach is to use "role" and "scope" instead of "--sdk-auth"

$ az ad sp create-for-rbac --sdk-auth --role Owner --name lypoc-crossplane --scopes

Is there a solution when using the below

$ az ad sp create-for-rbac \
        --role Contributor \
        --scopes /subscriptions/[reacted] \
        > "creds.json"

Refer to #351 for resolution for the above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bluedog13 @lioryantov @Naresh240