Adding Microsoft Azure to Crossplane

This document is for an older version of Crossplane.

This document applies to Crossplane version v1.10 and not to the latest release v1.11.

In this guide, we will walk through the steps necessary to configure your Azure account to be ready for integration with Crossplane. The general steps we will take are summarized below:

  • Create a new service principal (account) that Crossplane will use to create and manage Azure resources
  • Add the required permissions to the account
  • Consent to the permissions using an administrator account

Preparing your Microsoft Azure Account

In order to manage resources in Azure, you must provide credentials for a Azure service principal that Crossplane can use to authenticate. This assumes that you have already set up the Azure CLI client with your credentials.

Create a JSON file that contains all the information needed to connect and authenticate to Azure:

1# create service principal with Owner role
2az ad sp create-for-rbac --sdk-auth --role Owner --scopes="/subscriptions/<azure subscription id>"  > crossplane-azure-provider-key.json

Take note of the clientID value from the JSON file that we just created, and save it to an environment variable:

1export AZURE_CLIENT_ID=<clientId value from json file>

Now add the required permissions to the service principal that will allow it to manage the necessary resources in Azure:

1# add required Azure Active Directory permissions
2az ad app permission add --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --api-permissions 1cda74f2-2616-4834-b122-5cb1b07f8a59=Role 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175=Role
4# grant (activate) the permissions
5az ad app permission grant --id ${AZURE_CLIENT_ID} --api 00000002-0000-0000-c000-000000000000 --expires never

You might see an error similar to the following, but that is OK, the permissions should have gone through still:

1Operation failed with status: 'Conflict'. Details: 409 Client Error: Conflict for url:

Finally, you need to grant admin permissions on the Azure Active Directory to the service principal because it will need to create other service principals for your AKSCluster:

1# grant admin consent to the service princinpal you created
2az ad app permission admin-consent --id "${AZURE_CLIENT_ID}"

Note: You might need Global Administrator role to Grant admin consent for Default Directory. Please contact the administrator of your Azure subscription. To check your role, go to Azure Active Directory -> Roles and administrators. You can find your role(s) by clicking on Your Role (Preview)

After these steps are completed, you should have the following file on your local filesystem:

  • crossplane-azure-provider-key.json

Setup Azure ProviderConfig

Before creating any resources, we need to create and configure an Azure cloud provider resource in Crossplane, which stores the cloud account information in it. All the requests from Crossplane to Azure Cloud will use the credentials attached to this provider resource. The following command assumes that you have a crossplane-azure-provider-key.json file that belongs to the account you’d like Crossplane to use.

1BASE64ENCODED_AZURE_ACCOUNT_CREDS=$(base64 crossplane-azure-provider-key.json | tr -d "\n")

Now we’ll create our Secret that contains the credential and ProviderConfig resource that refers to that secret:

 1cat > provider.yaml <<EOF
 3apiVersion: v1
 4kind: Secret
 6  name: azure-account-creds
 7  namespace: crossplane-system
 8type: Opaque
13kind: ProviderConfig
15  name: default
17  credentials:
18    source: Secret
19    secretRef:
20      namespace: crossplane-system
21      name: azure-account-creds
22      key: credentials
25# apply it to the cluster:
26kubectl apply -f "provider.yaml"
28# delete the credentials variable

The output will look like the following:

1secret/azure-user-creds created created

Crossplane resources use the ProviderConfig named default if no specific ProviderConfig is specified, so this ProviderConfig will be the default for all Azure resources.