Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Unable to connect to Azure with crossplane #342

Open
Naresh240 opened this issue Jun 17, 2022 · 4 comments
Open

Unable to connect to Azure with crossplane #342

Naresh240 opened this issue Jun 17, 2022 · 4 comments

Comments

@Naresh240
Copy link

Naresh240 commented Jun 17, 2022
edited
Loading

I have followed these steps to create service principal

az ad sp create-for-rbac --name crossplane --role "Owner" --scopes /subscriptions/81e17b47-6b2f-472a-be80-f33bcc47d9fd > crossplane-azure-provider-key.json

export AZURE_CLIENT_ID=c0d6244f-a92c-4b7f-a8fc-348e88d5ecc7

# add required Azure Active Directory permissions
az ad app permission add --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --api-permissions 1cda74f2-2616-4834-b122-5cb1b07f8a59=Role 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175=Role

# grant (activate) the permissions
az ad app permission grant --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --scope /subscriptions/81e17b47-6b2f-472a-be80-f33bcc47d9fd

az ad app permission admin-consent --id "${AZURE_CLIENT_ID}"

BASE64ENCODED_AZURE_ACCOUNT_CREDS=$(base64 crossplane-azure-provider-key.json | tr -d "\n")

Running below yaml file under k3d cluster to create Resource Group:

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-azure
spec:
  package: crossplane/provider-azure:master
  
---
apiVersion: v1
kind: Secret
metadata:
  name: azure-account-creds
  namespace: crossplane-system
type: Opaque
data:
  credentials: ewogICJhcHBJZCI6ICJjMGQ2MjQ0Zi1hOTJjLTRiN2YtYThmYy0zNDhlODhkNWVjYzciLAogICJkaXNwbGF5TmFtZSI6ICJjcm9zc3BsYW5lIiwKICAicGFzc3dvcmQiOiAiYnBtOFF+T1JzaDZ1bEkweWNwTnFOVzI1ak1uNk9VeFpNVTJ+dWN6RiIsCiAgInRlbmFudCI6ICIwYzg1ZmQ2Mi00MWMxLTRjZjktYjA3Mi00YTM2YTIzNzEyYTQiCn0K
  
---
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: azure-provider
  namespace: crossplane-system
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: azure-account-creds
      key: credentials

---
apiVersion: azure.crossplane.io/v1alpha3
kind: ResourceGroup
metadata:
  name: naresh-rg
spec:
  location: West US 2
  providerConfigRef:
    name: azure-provider

Facing below issue

image
@Naresh240 Naresh240 mentioned this issue Jun 17, 2022
Closed
@lioryantov
Copy link

lioryantov commented Jun 24, 2022
edited
Loading

I used following commands:
$ az ad sp create-for-rbac --sdk-auth --role Owner --name lypoc-crossplane --scopes /subscriptions/0000000/resourceGroups/lior-rg > "creds.json"

Then creds.json file looks like this:
$ cat creds.json
{
"clientId": "xxxxxx",
"clientSecret": "xxxxxxx",
"subscriptionId": "yyyyyyy",
"tenantId": "zzzzzzz",
"activeDirectoryEndpointUrl": "https://#.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
}

Then I performed reset to this SP :
$ az ad sp credential reset --years 30 --id "xxxxxxxx"

got following response and edited the clientSecret field content in creds.json file:
{
"appId": "xxxx",
"password": "xxxxxxx",
"tenant": "yyyyyy"
}

$ kubectl create secret generic azure-creds-jet -n crossplane-system --from-file=creds=./creds.json

$ cat controllerconfig.yaml
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
name: jet-azure-config
labels:
app: crossplane-provider-jet-azure
spec:
image: crossplane/provider-jet-azure-controller:v0.10.0-preview
args: ["-d"]

$ cat provider.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: crossplane-provider-jet-azure
spec:
package: crossplane/provider-jet-azure:v0.10.0-preview
controllerConfigRef:
name: jet-azure-config

$ kubectl apply -f provider.yaml
provider.pkg.crossplane.io/crossplane-provider-jet-azure created
$ kubectl apply -f controllerconfig.yaml
controllerconfig.pkg.crossplane.io/jet-azure-config created

$ cat provider-jet.yaml
apiVersion: azure.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: azure-jet-provider-config
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: azure-creds-jet
key: creds

$ kubectl apply -f provider-jet.yaml
providerconfig.azure.jet.crossplane.io/azure-jet-provider-config created

$ kubectl get crd | grep "crossplane" | wc -l
658

@Naresh240
Copy link
Author

Added below details in json file, then I am able to connecting to Azure from crossplane

"activeDirectoryEndpointUrl": "https://#.microsoftonline.com/",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"

Thank you...!!!!!!!!!

@lioryantov
Copy link

Great, happy I could help you.

@bluedog13
Copy link

bluedog13 commented Sep 14, 2022
edited
Loading

The below command is deprecated. I get error when I try to run this command. The recommended approach is to use "role" and "scope" instead of "--sdk-auth"

$ az ad sp create-for-rbac --sdk-auth --role Owner --name lypoc-crossplane --scopes

Is there a solution when using the below

$ az ad sp create-for-rbac \
        --role Contributor \
        --scopes /subscriptions/[reacted] \
        > "creds.json"

Refer to #351 for resolution for the above.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bluedog13 @lioryantov @Naresh240