Creating Azure API Credentials

Before you get started

To use Kublr, you’ll need a Microsoft Azure subscription account, as well as validated Kublr credentials.

Required permissions

To register your application, you must have sufficient permissions with your Azure AD tenant and assign the application to a role in your Azure subscription. To ensure you have the right permissions, please perform the following steps.

Check Azure Active Directory permissions

  1. Log in to your Azure Account through the Azure portal.

  2. Select Azure Active Directory. Select Azure Active Directory

  3. In Azure Active Directory, select User settings. User settings

  4. Check the App registrations setting. If set to Yes, non-admin users can register AD apps. This setting means any user in the Azure AD tenant can register an app. You can proceed to Check Azure subscription permissions. Application registrations

  5. If the app registrations setting is set to No, only admin users can register apps. To check whether your account is an admin for the Azure AD tenant:

  6. Navigate back to Azure Active Directory.

  7. On the left panel, click Users. The All users (Preview) page is displayed.

  8. Click the name ot your user (use Search if necessary). Navigate to your user The page of the user is displayed.

  9. Click Assigned roles.

  10. Make sure, one of the following assingments is presented:

    • Application administrator for “Directory” resourse
    • Cloud application administrator for “Directory” resourse

    User - view assingned roles

  11. If not, add one of them.

    NOTE Alternatively, you may ask your administrator to add the “register app” permission to one of your user’s presented roles.

Check Azure subscription permissions

In your Azure subscription, your account must have Microsoft.Authorization/Write permission to assign an AD app to a role. This action is granted through the Owner role or User Access Administrator role. If your account is assigned to the Contributor role, you do not have required permission and will receive an error when attempting to assign the service principal to a role.

To check your subscription permissions:

  1. Navigate to Azure Active Directory.
  2. On the left panel, click Users. The All users (Preview) page is displayed.
  3. Click the name ot your user (use Search if necessary). The page of the user is displayed.
  4. Click Azure role assignments.
  5. View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned to the Owner role for a subscription, which means that this user has the required permission level. Viewing assigned roles

Get subscription ID

  1. Log in to your Azure Account through the Azure portal.
  2. Open Subscriptions.
  3. Copy Subscription ID. Subscriptions

Create Azure Active Directory application

  1. Log in to your Azure Account through the Azure portal.

  2. Select Azure Active Directory. Select Azure Active Directory

  3. Select App registrationsNew registration.

  4. Set application name.

  5. Leave Redirect URI blank or select Web/API for the type and the address of your Kublr control plane as URI.

    NOTE You cannot create credentials for a Native application; therefore, that type does not work for an automated application.

    Create new application

  6. Click Register. You have created your application.

Get application ID and authentication key

When programmatically logging in, you need the ID for your application and an authentication key. To get those values, use the following steps:

  1. In Azure Active Directory, on the left panel, click App registration.

  2. Use the Owned applications tab.

  3. For your application, copy its Application (client) ID and store it. You will use this value as the Client ID later. Application ID

  4. To generate an authentication key:

  5. Go to your application page.

  6. On the left panel, click Certificates & secrets.

  7. In the Client secrets section, click New client secret.

  8. Provide a description and a duration of the secret. When done, save. In the Client secrets section, the new secret along with the value is displayed.

  9. Copy Value now - you will not able to retrieve it later. Client Secret

  10. Use this value later as Client Secret.

Get Tenant ID

When programmatically logging in, you need to pass the tenant ID with your authentication request.

  1. Select Azure Active Directory. Azure Active Directory
  2. On the left panel, the Overview section should be selected.
  3. From the Overview tab, copy Tenant ID. Copy Tenant ID

Assign role to application

To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains. Kublr requires Contributor Role so that it can provision virtual machines and prepare your infrastructure to run Kublr

  1. Navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select Subscriptions. You could instead select a resource group or resource. Subscriptions
  2. Select Access Control (IAM).
  3. Click Add > Add role assignment. The Add role assignment panel is displayed.
  4. In the Add role assignment panel, set Role to “Contributor”.
  5. Type in Select to find and select your application.
  6. Click Save. Click on Add button