Skip to content

Instantly share code, notes, and snippets.

@binamov

binamov/az-chef.md

Last active March 23, 2018 00:11
Show Gist options
  • Save binamov/57b187c77833d70e7928ecf56235d8df to your computer and use it in GitHub Desktop.
Save binamov/57b187c77833d70e7928ecf56235d8df to your computer and use it in GitHub Desktop.
Download ZIP
setting up azure service principal for chef
Raw
az-chef.md

Create Azure RM Service Principal

This makes kitchen-azurerm and knife-azure ARM mode work

  1. Install Azure CLI

  2. Run az login and take note of its output:

    [
  {
    "cloudName": "AzureCloud",
    "id": "AZURE_SUBSCRIPTION_ID",
    "isDefault": true,
    "name": "Partner Engineering",
    "state": "Enabled",
    "tenantId": "AZURE_TENANT_ID",
    "user": {
      "name": "[email protected]",
      "type": "user"
    }
  }
]

  3. Create Service Principal and note its output too:

    az ad sp create-for-rbac --name YourAwesomeAppName

    {
  "appId": "AZURE_CLIENT_ID",
  "displayName": "YourAwesomeAppName",
  "name": "http://YourAwesomeAppName",
  "password":     "AZURE_CLIENT_SECRET",
  "tenant": "AZURE_TENANT_ID_AGAIN"
}

  4. Set the following environment variables, substituting for values from the previous commands as shown:

    AZURE_SUBSCRIPTION_ID="ID_FROM_AZ_LOGIN_COMMAND"
AZURE_TENANT_ID="TENANTID_FROM_AZ_LOGIN_TOO"
AZURE_CLIENT_ID="APPID_FROM_SP_CREATE"
AZURE_CLIENT_SECRET="PASSWORD_FROM_SP_CREATE"

  5. That's it. Well done! Now you can configure the Chef bits:

Configure kitchen-azurerm:

  1. Use the .kitchen.yml samples verbatim from the driver documentation, substituting for the Subscription ID as shown:

    driver_config:
  subscription_id: <%= ENV['AZURE_SUBSCRIPTION_ID'] %>

  2. That's it. Dead easy!

Configure knife-azure ARM mode:

  1. Add this to your .chef/knife.rb :

    knife[:azure_subscription_id]  = ENV['AZURE_SUBSCRIPTION_ID']
knife[:azure_tenant_id]        = ENV['AZURE_TENANT_ID']
knife[:azure_client_id]        = ENV['AZURE_CLIENT_ID']
knife[:azure_client_secret]    = ENV['AZURE_CLIENT_SECRET']

That should do it. You can now list create delete VMs in Azure!

Configure wombat with AZURE_OBJECT_ID:

  1. To wombat successfully you also need to set the AZURE_OBJECT_ID environment variable :

    az role assignment list --assignee APPID_FROM_SP_CREATE

      {
    "id": "/subscriptions/your-subscription-id/providers/Microsoft.Authorization/roleAssignments/your-role-name",
    "name": "your-role-name",
    "properties": {
      "principalId": "THIS-IS-YOUR-OBJECT-ID-HERE",
      "principalName": "http://YourAwesomeAppName",
      "roleDefinitionId": "/subscriptions/your-subscription-id/providers/Microsoft.Authorization/roleDefinitions/role-definition-d",
      "roleDefinitionName": "Contributor",
      "scope": "/subscriptions/your-subscription-id"
    },
    "type": "Microsoft.Authorization/roleAssignments"
  }

  2. That should do it. You can now wombat build -o azure-arm --parallel to build your chef demos in Azure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment