Cloud TAP - Azure - Creating Application ID and assigning required roles

The Application ID is referred to as Client ID in the Supervisor UI. This article uses the terms interchangeably. The Application ID must have the following roles:

• Contributor Role
  This role enables the Service Vehicle (SV) to create virtual environments on Azure via the Application ID (Client ID). The scope of this role can be either a Subscription or a Resource Group.
  
  
• Storage Blob Data Contributor
  This role allows the SV to create storage accounts for traffic mirroring for Windows VMs via the Application ID. If no Windows VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed with profitap.
  
  
• Key Vault Secrets Officer
  This role enables the SV to create Key Vaults for Linux VMs through the Application ID. If no Linux VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed with profitap.
  
  
• Key Vault Data Access Administrator
  This role allows the SV to assign roles on the Key Vault for Linux VMs via the Application ID. If no Linux VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed with profitap.

az ad app create --display-name <app name> --query appId -o tsv

Sample command:

az ad app create --display-name myapp1 --query appId -o tsv

The command above creates an Application ID named myapp1 and displays its ID. Copy this ID. For our purposes, we will assume the ID is c0303030-0303-0303-0303-030303030303. This ID will be used as an example for simplicity.

Use the following command to see the application details:

az ad app show --id <app id> --query "{displayName:displayName, appId:appId, objectId:id}" -o table

Sample command:

az ad app show --id c0303030-0303-0303-0303-030303030303 --query "{displayName:displayName, appId:appId, objectId:id}" -o table

az ad sp create --id <app id>

Sample command:

az ad sp create --id c0303030-0303-0303-0303-030303030303

az ad app credential reset --id <app id> --display-name myapp1-secret --years 1

Sample command:

az ad app credential reset --id c0303030-0303-0303-0303-030303030303 --display-name myapp1-secret --years 1

The command above will display the password. Make sure to save it, as it cannot be viewed later. We will use this password in Supervisor during the creation of the virtual environment.

The scope should be either the Subscription or a Resource Group. For this example, we will assume the Subscription ID is B0202020-0202-0202-0202-020202020202. Without this role, an Azure virtual environment cannot be created on Supervisor.

az role assignment create --assignee <app id> --role Contributor --scope /subscriptions/<subscription id>

Sample command (scope is Subscription):

az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role Contributor --scope /subscriptions/b0202020-0202-0202-0202-020202020202

Sample command (scope is a Resource Group):

az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role Contributor --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/myresourcegroup1

Verify the role assignment:

az role assignment list --assignee c0303030-0303-0303-0303-030303030303 --all -o table

The Resource Group's name should start with profitap. The naming is not case-sensitive.

az group create --name <profitap resource group> --location <location>

Sample command:

az group create --name profitap-rg1 --location northeurope

Verify the Resource Group:

az group show --name profitap-myrg1 -o table

Supervisor uses Key Vault for Linux VMs, and storage account for Windows VMs.

Creating a Resource Group (RG) whose name begins with profitap (case-insensitive) is not mandatory, but strongly recommended. Using a dedicated RG allows Supervisor to keep its components (Key Vault and storage accounts) organized in one place. During tapping-agent deployment to VMs, Supervisor searches for an RG whose name starts with profitap and will create the Key Vault and storage accounts inside of that RG.

If a dedicated “profitap” RG is not present, Supervisor will create the Key Vault and storage accounts in the alphabetically first existing RG.

Sample commands (the scope is profitap-RG):

az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Key Vault Secrets Officer" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1

az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Key Vault Data Access Administrator" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1

az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Storage Blob Data Contributor" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1

Alternatively, the scope in the above role assignments could be the whole Subscription or a specific Resource Group.

--scope /subscriptions/b0202020-0202-0202-0202-020202020202

--scope /subscriptions/e0b37afa-64a0-4036-89e1-5bdc2dd02f14/resourceGroups/rg2

Verify that the application has the required roles. Four roles must be assigned to the application for Windows and Linux VMs.

az role assignment list --assignee c0303030-0303-0303-0303-030303030303 --all -o table