Creating Azure API credentials

Before You Get Started

To use Kublr, you’ll need a Microsoft Azure subscription account, as well as validated Kublr credentials.

Required Permissions

To register your application, you must have sufficient permissions with your Azure AD tenant and assign the application to a role in your Azure subscription. To ensure you have the right permissions, please perform the following steps.

Check Azure Active Directory Permissions

  1. Log in to your Azure Account through the Azure portal.
  2. Select Azure Active Directory. Select Azure Active Directory
  3. In Azure Active Directory, select User settings. User settings
  4. Check the App registrations setting. If set to Yes, non-admin users can register AD apps. This setting means any user in the Azure AD tenant can register an app. You can proceed to Check Azure subscription permissions. Application registrations
  5. If the app registrations setting is set to No, only admin users can register apps. Check whether your account is an admin for the Azure AD tenant. Select Overview and Find a user from Quick tasks. Find a user
  6. Search for your account, and select it when you find it. Search results
  7. For your account, select Directory role. Directory role
  8. View your assigned directory role in Azure AD. If your account is assigned to the User role, but the app registration setting (from the preceding steps) is limited to admin users, ask your administrator to either assign you to an administrator role, or to enable users to register apps. View user's role

Check Azure Subscription Permissions

In your Azure subscription, your account must have Microsoft.Authorization/Write permission to assign an AD app to a role. This action is granted through the Owner role or User Access Administrator role. If your account is assigned to the Contributor role, you do not have required permission and will receive an error when attempting to assign the service principal to a role.

To check your subscription permissions:

  1. If you are not already looking at your Azure AD account from the preceding steps, select Azure Active Directory from the left pane.
  2. Find your Azure AD account. Select Overview and Find a user from Quick tasks. Find a user
  3. Search for your account, and select it when you find it. Search results
  4. Select Azure resources. Select Azure resources
  5. View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned to the Owner role for two subscriptions, which means that that user has the required permission level. Viewing assigned roles

Getting Subscription ID

  1. Log in to your Azure Account through the Azure portal.
  2. Open Subscriptions Subscriptions
  3. Copy SUBSCRIPTION ID. This value is your Subscription ID.

Creating an Azure Active Directory Application

  1. Log in to your Azure Account through the Azure portal.
  2. Select Azure Active Directory. Select Azure Active Directory
  3. Select App registrations. Select app registrations
  4. Select New application registration. New application registration
  5. Provide a name and URL for the application. Select Web app / API for the type of application you want to create. You cannot create credentials for a Native application; therefore, that type does not work for an automated application. After setting the values, select Create. Create new application

You have created your application.

Getting Application ID and Authentication Key

When programmatically logging in, you need the ID for your application and an authentication key. To get those values, use the following steps:

  1. From App registrations in Azure Active Directory, select your application. Select application
  2. Copy the Application ID and store it. You will use this value as the Client ID later. Application ID
  3. To generate an authentication key, select Keys. Authentication Keys
  4. Provide a description of the key, and a duration for the key. When done, select Save. Saving a Key
  5. After saving the key, the value of the key is displayed. Copy this value because you are not able to retrieve the key later. Use this value later as Client Secret. Client Secret

Getting Tenant ID

When programmatically logging in, you need to pass the tenant ID with your authentication request.

  1. Select Azure Active Directory. Azure Active Directory
  2. To get the tenant ID, select Properties for your Azure AD tenant. Azure ID Properties
  3. Copy the Directory ID. This value is your Tenant ID. Copy the Directory ID

Assigning Application to Role

To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains. Kublr requires Contributor Role so that it can provision virtual machines and prepare your infrastructure to run Kublr

  1. Navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select Subscriptions. You could instead select a resource group or resource. Subscriptions
  2. Select the particular subscription (resource group or resource) to assign the application to. Select Subscription
  3. Select Access Control (IAM). Select Access Control
  4. Click on Add button Click on Add button
  5. Select the role you wish to assign to the application. The following image shows the Contributor role. Select a role
  6. Search for your application, and select it. Select an application
  7. Select Save to finish assigning the role. You will see your application in the list of users assigned to a role for that scope.