search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.29k stars 21.47k forks source link

Changed to Azure CLI commands. #113453

Closed Appelcloud closed 1 year ago

Appelcloud commented 1 year ago

The Below is commands and text that in my opinion needs to be changed. Almost all attributes has the $ placed in the wrong place.

  1. Create a new Azure AD application and get its appId value. This value is used in later steps as serverApplicationId.

    $CLUSTER_NAME="<name-of-arc-connected-cluster>"
$TENANT_ID="<tenant>"
$SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
$SERVER_APP_ID=(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
echo $SERVER_APP_ID

  2. Update the application's group membership claims. Run the commands in the same directory as the oauth2-permissions.json file. RBAC for Azure Arc-enabled Kubernetes requires signInAudience to be set to AzureADMyOrg:

    az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
az ad app update --id ${SERVER_APP_ID} --set  api=@oauth2-permissions.json
az ad app update --id ${SERVER_APP_ID} --set  signInAudience=AzureADMyOrg
$SERVER_OBJECT_ID=(az ad app show --id "${SERVER_APP_ID}" --query "id" -o tsv)
az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/${SERVER_OBJECT_ID}/ --body '{"api":{"requestedAccessTokenVersion": 1}}'

  3. Create a service principal and get its password field value. This value is required later as serverApplicationSecret when you're enabling this feature on the cluster. This secret is valid for one year by default and will need to be rotated after that. To set a custom expiration duration, use az ad sp credential reset:

    az ad sp create --id "${SERVER_APP_ID}"
$SERVER_APP_SECRET=(az ad sp credential reset --id "${SERVER_APP_ID}"  --query password -o tsv)

  4. Create a new Azure AD application and get its appId value. This value is used in later steps as clientApplicationId.

    $CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" 
$CLIENT_APP_ID=(az ad app create --display-name "${CLUSTER_NAME}Client" --is-fallback-public-client --public-client-redirect-uris "api://${TENANT_ID}/${CLIENT_UNIQUE_SUFFIX}" --query appId -o tsv)
echo $CLIENT_APP_ID

  5. Grant the required permissions for the client application. RBAC for Azure Arc-enabled Kubernetes requires signInAudience to be set to AzureADMyOrg:

        az ad app permission add --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}" --api-permissions <oAuthPermissionId>=Scope
    $RESOURCE_APP_ID=(az ad app show --id "${CLIENT_APP_ID}"  --query "requiredResourceAccess[0].resourceAppId" -o tsv)
    az ad app permission grant --id "${CLIENT_APP_ID}" --api "${RESOURCE_APP_ID}" --scope User.Read
    az ad app update --id ${CLIENT_APP_ID} --set  signInAudience=AzureADMyOrg
    $CLIENT_OBJECT_ID=(az ad app show --id "${CLIENT_APP_ID}" --query "id" -o tsv)
    az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/${CLIENT_OBJECT_ID}/ --body '{"api":{"requestedAccessTokenVersion": 1}}'

  6. Create a new Azure AD application and get its appId value. This value is used in later steps as serverApplicationId.

    $CLUSTER_NAME="<name-of-arc-connected-cluster>"
$TENANT_ID="<tenant>"
$SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
$SERVER_APP_ID=(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
echo $SERVER_APP_ID

  7. Create a service principal and get its password field value. This value is required later as serverApplicationSecret when you're enabling this feature on the cluster. This secret is valid for one year by default and will need to be rotated after that. To set a custom expiration duration, use az ad sp credential reset:

        az ad sp create --id "${SERVER_APP_ID}"
    $SERVER_APP_SECRET=(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)

  8. Create a new Azure AD application and get its appId value. This value is used in later steps as clientApplicationId.

    $CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" 
$CLIENT_APP_ID=(az ad app create --display-name "${CLUSTER_NAME}Client" --native-app --reply-urls "api://${TENANT_ID}/${CLIENT_UNIQUE_SUFFIX}" --query appId -o tsv)
echo $CLIENT_APP_ID

  9. Run the following command to create the new custom role:

    $ROLE_ID=(az role definition create --role-definition ./accessCheck.json --query id -o tsv)

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

SwathiDhanwada-MSFT commented 1 year ago

@aaKomplex-IT Thanks for your feedback.

Assigning to content author @JnHs for review.

msftjonw commented 1 year ago

Hi @aaKomplex-IT , Are you saying that "$" should be removed when setting the variables? If that is the case, I agree. For example, it should be 'CLUSTER_NAME=""' instead of '$CLUSTER_NAME=""'.

Let us know if this is not what you meant.

Appelcloud commented 1 year ago

Hi

No I mean there should be a $ to set the variable. Right now there is no $ in the documentation :-)

Venlig hilsen / Best regards

Alexander Appelby It-specialist

M +45 20214624

On 15 Aug 2023, at 20.16, msftjonw @.***> wrote:



Hi @aaKomplex-IThttps://github.com/aaKomplex-IT , Are you saying that "$" should be removed when setting the variables? If that is the case, I agree. For example, it should be 'CLUSTER_NAME=""' instead of '$CLUSTER_NAME=""'.

Let us know if this is not what you meant.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/113453#issuecomment-1679384873, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWP6VQUC37H7UFCD7LRC2KTXVO4IDANCNFSM6AAAAAA3MY3P7A. You are receiving this because you were mentioned.Message ID: @.***>

msftjonw commented 1 year ago

Oh I did not check the doc. If it is already without "$", it is what we were intended to have.

The strange thing for me is that with the "$" in front of the command would not work for me in Azure cloud shell. Could you let me know which environment you are testing in?

CleanShot 2023-08-15 at 11 44 21@2x

Appelcloud commented 1 year ago

I'm testing in Azure Stack HCI environment and not directly from Azure, :-) And are executing it from the Hosts, that might be the reason why i'm not able to get. I can only get it to work with $

msftjonw commented 1 year ago

That is interesting to know. Just so you know, it is the same for me to test in an UNIX system such as MacOS. I guess Azure Stack HCI is running on Windows OS and it could be more like PowerShell. As far as I know, PowerShell variable setup is like "$test="Jonathan" instead of "test=Jonathan".

Appelcloud commented 1 year ago

Yes correct. Azure Stack OS is roughty the same as a Windows Server Core edition (just roughty)

When I followed the documentation i rewrote the commands to Powershell. Just to let you know, I have only attempted to execute THIS documenation and not the the other Azure Arc AKS RBAC hybrid documenation pages.

I will of course try to attempt it when the rest of my Setup is ready.

msftjonw commented 1 year ago

Sounds good! Keep us posted!

Appelcloud commented 1 year ago

Hi Jon

Just an update on this post. I have been successfully been able to enable Azure AD RBAC with the PowerShell commands I posted. This has been done in conjunction with Jacek P from the High Available Team

It could be nice with a powershell opportunity available in the documenation aswell as the Azure CLI of course :-)

msftjonw commented 1 year ago

Thanks @aaKomplex-IT . We will take this feedback of an opportunity to improve for sure.

JnHs commented 1 year ago

Thank you so much, @aaKomplex-IT. I've created a work item and will coordinate with @msftjonw to incorporate PowerShell commands into this topic. Since we are tracking this update internally, I'll close this GitHub issue now. Please continue to let us know if you have questions or suggestions for the docs!

please-close