github.com/kikitux/packer@v0.10.1-0.20160322154024-6237df566f9f/website/source/docs/builders/azure-setup.html.md (about)

     1  ---
     2  description: |
     3      
     4  layout: docs
     5  page_title: Authorizing Packer Builds in Azure
     6  ...
     7  
     8  # Authorizing Packer Builds in Azure
     9  
    10  In order to build VMs in Azure packer needs 6 configuration options to be specified:
    11  
    12  - `tenant_id` - UUID identifying your Azure account (where you login)
    13  - `subscription_id` - UUID identifying your Azure subscription (where billing is handled)
    14  - `client_id` - UUID identifying the Active Directory service principal that will run your packer builds
    15  - `client_secret` - service principal secret / password
    16  - `resource_group_name` - name of the resource group where your VHD(s) will be stored
    17  - `storage_account` - name of the storage account where your VHD(s) will be stored
    18  
    19  -> Behind the scenes packer uses the OAuth protocol to authenticate against Azure Active Directory and authorize requests to the Azure Service Management API. These topics are unncessarily complicated so we will try to ignore them for the rest of this document.<br /><br />You do not need to understand how OAuth works in order to use Packer with Azure, though the Active Directory terms "service principal" and "role" will be useful for understanding Azure's access policies.
    20  
    21  In order to get all of the items above, you will need a username and password for your Azure account.
    22  
    23  ## Install the Azure CLI
    24  
    25  To get the credentials above, we will need to install the Azure CLI. Please refer to Microsoft's official [intallation guide](https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/).
    26  
    27  -> The guides below also use a tool called [`jq`](https://stedolan.github.io/jq/) to simplify the output from the Azure CLI, though this is optional. If you use homebrew you can simply `brew install node jq`.
    28  
    29  If you already have node.js installed you can use `npm` to install `azure-cli`:
    30  
    31      npm install -g azure-cli --no-progress
    32  
    33  ## Guided Setup
    34  
    35  The packer project includes a [setup script](https://github.com/mitchellh/packer/blob/master/contrib/azure-setup.sh) that can help you setup your account. It uses an interactive bash script to log you into Azure, name your resources, and export your packer configuration.
    36  
    37  ## Manual Setup
    38  
    39  If you want more control or the script does not work for you, you can also use the manual instructions below to setup your Azure account. You will need to manually keep track of the various account identifiers, resource names, and your service principal password.
    40  
    41  ### Identify Your Tenant and Subscription IDs
    42  
    43  Login using the Azure CLI
    44  
    45      azure config mode arm
    46      azure login -u USERNAME
    47  
    48  Get your account information
    49  
    50      azure account list --json | jq .[].name
    51      azure account set ACCOUNTNAME
    52      azure account show --json | jq ".[] | .tenantId, .id"
    53  
    54  -> Throughout this document when you see a command pipe to `jq` you may instead omit `--json` and everything after it, but the output will be more verbose. For example you can simply run `azure account list` instead._
    55  
    56  This will print out two lines that look like this:
    57  
    58      "4f562e88-8caf-421a-b4da-e3f6786c52ec"
    59      "b68319b-2180-4c3e-ac1f-d44f5af2c6907"
    60  
    61  The first one is your `tenant_id`. The second is your `subscription_id`. Note these for later.
    62  
    63  ### Create a Resource Group
    64  
    65  A [resource group](https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/#resource-groups) is used to organize related resources. Resource groups and storage accounts are tied to a location. To see available locations, run:
    66  
    67      azure location list
    68      ...
    69      azure group create -n GROUPNAME -l LOCATION
    70  
    71  Your storage account (below) will need to use the same `GROUPNAME` and `LOCATION`.
    72  
    73  ### Create a Storage Account
    74  
    75  We will need to create a storage account where your packer artifacts will be stored. We will create a `LRS` storage account which is the least expensive price/GB at the time of writing.
    76  
    77      azure storage account create -g GROUPNAME \
    78          -l LOCATION --type LRS STORAGENAME
    79  
    80  -> `LRS` is meant as a literal "LRS" and not as a variable.
    81  
    82  Make sure that `GROUPNAME` and `LOCATION` are the same as above.
    83  
    84  ### Create an Application
    85  
    86  An application represents a way to authorize access to the Azure API. Note that you will need to specify a URL for your application (this is intended to be used for OAuth callbacks) but these do not actually need to be valid URLs.
    87  
    88      azure ad app create -n APPNAME -i APPURL --home-page APPURL -p PASSWORD
    89  
    90  Password is your `client_secret` and can be anything you like. I recommend using `openssl rand -base64 24`.
    91  
    92  ### Create a Service Principal
    93  
    94  You cannot directly grant permissions to an application. Instead, you create a service principal associated with the application and assign permissions to the service principal.
    95  
    96  First, get the `APPID` for the application we just created.
    97  
    98      azure ad app list --json | \ 
    99          jq '.[] | select(.displayName | contains("APPNAME")) | .appId'
   100      azure ad sp create --applicationId APPID
   101  
   102  ### Grant Permissions to Your Application
   103  
   104  Finally, we will associate the proper permissions with our application's service principal. We're going to assign the `Owner` role to our packer application and change the scope to manage our whole subscription. This allows Packer to create temporary resource groups for each build.
   105  
   106      azure role assignment create --spn APPURL -o "Owner" \
   107          -c /subscriptions/SUBSCRIPTIONID
   108  
   109  There are a lot of pre-defined roles and you can define your own with more granular permissions, though this is out of scope. You can see a list of pre-configured roles via:
   110  
   111      azure role list --json | \
   112          jq ".[] | {name:.Name, description:.Description}"
   113  
   114  ### Configuring Packer
   115  
   116  Now (finally) everything has been setup in Azure. Let's get our configuration keys together:
   117  
   118  Get `tenant_id` and `subscription_id`:
   119  
   120      azure account show --json | jq ".[] | .tenantId, .id"
   121  
   122  Get `client_id`
   123  
   124      azure ad app list --json | \
   125          jq '.[] | select(.displayName | contains("APPNAME")) | .appId'
   126  
   127  Get `client_secret`
   128  
   129  This cannot be retrieved. If you forgot this, you will have to delete and re-create your service principal and the associated permissions.
   130  
   131  Get `resource_group_name`
   132  
   133      azure group list
   134  
   135  Get `storage_account`
   136  
   137      azure storage account list