Cloud TAP - Azure - Creating Application ID and assigning required roles
The Application ID is referred to as Client ID in the Supervisor UI. This article uses the terms interchangeably. The Application ID must have the following roles:
- Contributor Role
This role enables the Service Vehicle (SV) to create virtual environments on Azure via the Application ID (Client ID). The scope of this role can be either a Subscription or a Resource Group.
- Storage Blob Data Contributor
This role allows the SV to create storage accounts for traffic mirroring for Windows VMs via the Application ID. If no Windows VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed withprofitap.
- Key Vault Secrets Officer
This role enables the SV to create Key Vaults for Linux VMs through the Application ID. If no Linux VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed withprofitap.
- Key Vault Data Access Administrator
This role allows the SV to assign roles on the Key Vault for Linux VMs via the Application ID. If no Linux VMs are targeted by Supervisor, this role may be omitted. The scope can be a Subscription, a Resource Group, or a Resource Group prefixed withprofitap.
1. Create a new App Registration (Application ID or Client ID)
az ad app create --display-name <app name> --query appId -o tsv
Sample command:
az ad app create --display-name myapp1 --query appId -o tsv
The command above creates an Application ID named myapp1 and displays its ID. Copy this ID. For our purposes, we will assume the ID is c0303030-0303-0303-0303-030303030303. This ID will be used as an example for simplicity.
Use the following command to see the application details:
az ad app show --id <app id> --query "{displayName:displayName, appId:appId, objectId:id}" -o table
Sample command:
az ad app show --id c0303030-0303-0303-0303-030303030303 --query "{displayName:displayName, appId:appId, objectId:id}" -o table
2. Create the Service Principal for the application
az ad sp create --id <app id>
Sample command:
az ad sp create --id c0303030-0303-0303-0303-030303030303
3. Create a client secret (with 1-year expiry date)
az ad app credential reset --id <app id> --display-name myapp1-secret --years 1
Sample command:
az ad app credential reset --id c0303030-0303-0303-0303-030303030303 --display-name myapp1-secret --years 1
The command above will display the password. Make sure to save it, as it cannot be viewed later. We will use this password in Supervisor during the creation of the virtual environment.
4. Assign the Contributor role to the Application ID
The scope should be either the Subscription or a Resource Group. For this example, we will assume the Subscription ID is B0202020-0202-0202-0202-020202020202. Without this role, an Azure virtual environment cannot be created on Supervisor.
az role assignment create --assignee <app id> --role Contributor --scope /subscriptions/<subscription id>
Sample command (scope is Subscription):
az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role Contributor --scope /subscriptions/b0202020-0202-0202-0202-020202020202
Sample command (scope is a Resource Group):
az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role Contributor --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/myresourcegroup1
Verify the role assignment:
az role assignment list --assignee c0303030-0303-0303-0303-030303030303 --all -o table
5. Create a Resource Group (RG) for holding the Key Vault and/or storage accounts
The Resource Group's name should start with profitap. The naming is not case-sensitive.
az group create --name <profitap resource group> --location <location>
Sample command:
az group create --name profitap-rg1 --location northeurope
Verify the Resource Group:
az group show --name profitap-myrg1 -o table
Supervisor uses Key Vault for Linux VMs, and storage account for Windows VMs.
Creating a Resource Group (RG) whose name begins with profitap (case-insensitive) is not mandatory, but strongly recommended. Using a dedicated RG allows Supervisor to keep its components (Key Vault and storage accounts) organized in one place. During tapping-agent deployment to VMs, Supervisor searches for an RG whose name starts with profitap and will create the Key Vault and storage accounts inside of that RG.
If a dedicated “profitap” RG is not present, Supervisor will create the Key Vault and storage accounts in the alphabetically first existing RG.
6. Assign roles to the Service Principal at the Resource Group, Subscription, or profitap-RG scope
Sample commands (the scope is profitap-RG):
az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Key Vault Secrets Officer" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1
az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Key Vault Data Access Administrator" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1
az role assignment create --assignee c0303030-0303-0303-0303-030303030303 --role "Storage Blob Data Contributor" --scope /subscriptions/b0202020-0202-0202-0202-020202020202/resourceGroups/profitap-rg1
Alternatively, the scope in the above role assignments could be the whole Subscription or a specific Resource Group.
--scope /subscriptions/b0202020-0202-0202-0202-020202020202
--scope /subscriptions/e0b37afa-64a0-4036-89e1-5bdc2dd02f14/resourceGroups/rg2
Verify that the application has the required roles. Four roles must be assigned to the application for Windows and Linux VMs.
az role assignment list --assignee c0303030-0303-0303-0303-030303030303 --all -o table