honoServicePrincipal in azure

[soheilade]

Dear All, I am following instructions here to setup service principal for my hono instance in azure. After running the command object_id_principal=az ad sp show --id $app_id_principal --query objectId --output tsv``

I get this error

az: error: unrecognized arguments: honoServicePrincipal http://honoServicePrincipal 89f90a0b-2111-4df3-bebe-3d919 4e240c11-fab3-44d8-812f-f2bfb6b5
usage: az [-h] [--verbose] [--debug]
          [--output {json,jsonc,table,tsv,yaml,yamlc,none}] [--query JMESPATH]
          {ad} ...

any thought how to resolve it? P.S. I faked the number, just in case.

following the guids in [1] and [2] it is also not clear where exactly the Azure container registry is created. could please elaborate on that?

Best regards Soheila

[sophokles73]

Not sure if you posted your command correctly, but the command in the guide is

object_id_principal=`az ad sp show --id $app_id_principal --query objectId --output tsv`

and not

object_id_principal=az ad sp show --id $app_id_principal --query objectId --output tsv``

[soheilade]

Thanks Kai for the comment, It is a typo caused by github notation for code, but this is not what causes the error, there is a problem with the service principal... considering these 3 commands:

service_principal=az ad sp create-for-rbac --name http://honoServicePrincipal --skip-assignment --output tsv app_id_principal=echo $service_principal|cut -f1 password_principal=echo $service_principal|cut -f4

according to [1] there is no output switch for command az ad sp create-for-rbac in here service_principal=az ad sp create-for-rbac --name http://honoServicePrincipal --skip-assignment --output tsv morover, when i echo these variables service_principal, app_id_principal, password_principal they all have the same value regardless of the cut command.

[sophokles73]

Here's the output of

$ az ad sp create-for-rbac --help

Command
    az ad sp create-for-rbac : Create a service principal and configure its access to Azure
    resources.

Arguments
    --name -n         : A URI to use as the logic name. It doesn't need to exist. If not present,
                        CLI will generate one.
    --role            : Role of the service principal.  Default: Contributor.
    --scopes          : Space-separated list of scopes the service principal's role assignment
                        applies to. Defaults to the root of the current subscription.
    --sdk-auth        : Output result in compatible with Azure SDK auth file.  Allowed values:
                        false, true.
    --skip-assignment : Skip creating the default assignment, which allows the service principal to
                        access resources under the current subscription.  Allowed values: false,
                        true.

Credential Arguments
    --cert            : Certificate to use for credentials.
        When used with `--keyvault,` indicates the name of the cert to use or create. Otherwise,
        supply a PEM or DER formatted public certificate string. Use `@{path}` to load from a file.
        Do not include private key info.
    --create-cert     : Create a self-signed certificate to use for the credential.
        Use with `--keyvault` to create the certificate in Key Vault. Otherwise, a certificate will
        be created locally.
    --keyvault        : Name or ID of a KeyVault to use for creating or retrieving certificates.
    --years           : Number of years for which the credentials will be valid. Default: 1 year.

Global Arguments
    --debug           : Increase logging verbosity to show all debug logs.
    --help -h         : Show this help message and exit.
    --output -o       : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
                        Default: json.
    --query           : JMESPath query string. See http://jmespath.org/ for more information and
                        examples.
    --verbose         : Increase logging verbosity. Use --debug for full debug logs.

And here's the version of my az client:

$ az version
This command is in preview. It may be changed/removed in a future release.
{
  "azure-cli": "2.1.0",
  "azure-cli-command-modules-nspkg": "2.0.3",
  "azure-cli-core": "2.1.0",
  "azure-cli-nspkg": "3.0.4",
  "azure-cli-telemetry": "1.0.4",
  "extensions": {}
}

Do you have the same version installed?

[soheilade]

yup, I think the problem is on the cut command. and it does not execute because those 3 variables (service_principal, app_id_principal, password_principal) have all the same value.

[sophokles73]

What is the value of echo $service_principal?

[soheilade]

all of them has this value > i changed the numbers 16e09af9-4xxx-4e24-bxxx-e35dfxxxxx5b honoServicePrincipal http://honoServicePrincipal ecxxxx901-134e-425x-axx05-5dexxxx3c62 4edhgsrjc11-fab3-44d8-812f-f2bjydxitu68oif6b5

and the error is

az: error: unrecognized arguments: honoServicePrincipal http://honoServicePrincipal 48xfxjhfjb6-ggba-431b-814a-ca14xfjhc6b7c 4exfgh0c11-fab3-44d8-812f-f2bfzdhgzb5 usage: az [-h] [--verbose] [--debug] [--output {json,jsonc,table,tsv,yaml,yamlc,none}] [--query JMESPATH] {ad} ...

[sophokles73]

can you try to use ... | cut -f 1 -d ' ', i.e. appending -d ' ' (there is a whitespace between the quotes), when assigning the other variables?

[soheilade]

yup, it worked, thanks, now when running this command acr_id_access_registry='az acr show --resource-group $acr_resourcegroupname --name $acr_registry_name --query "id" --output tsv' results in an error indicating that acr is not created The Resource 'Microsoft.ContainerRegistry/registries/honoacrReg' under resource group 'honoTest' was not found I think a command is missing before this command to create an acr with specified RG, right? e.g., az acr create --resource-group myResourceGroup --name myContainerRegistry --sku Basic

[sophokles73]

looks like it. You should be able to create the container registry as described here. Seems like the corresponding command line has been omitted from our setup guide ...

[sophokles73]

@soheilade can you try if this works for you:

# Resource group where the ACR is deployed.
acr_resourcegroupname={YOUR_ACR_RG}
# Name of your ACR.
acr_registry_name={YOUR_ACR_NAME}
# Full name of the ACR.
acr_login_server=$acr_registry_name.azurecr.io

# Create service principal
service_principal=`az ad sp create-for-rbac --name http://honoServicePrincipal --skip-assignment --output tsv`
app_id_principal=`echo $service_principal | cut -f1 -d ' '`
password_principal=`echo $service_principal | cut -f4 -d ' '`
object_id_principal=`az ad sp show --id $app_id_principal --query objectId --output tsv`

Note: it might take a few seconds until the principal is available for the next steps.

# Create container registry
az acr create --resource-group $acr_resourcegroupname --name $acr_registry_name --sku Basic
# and allow cluster to read from registry
acr_id_access_registry=`az acr show --resource-group $acr_resourcegroupname --name $acr_registry_name --query "id" --output tsv`
az role assignment create --assignee $app_id_principal --scope $acr_id_access_registry --role Reader

[soheilade]

Thanks Kai, it worked out, however, when I ran the deployment command below

az group deployment create --name HonoBasicInfrastructure --resource-group $resourcegroup_name --template-file arm/honoInfrastructureDeployment.json --parameters uniqueSolutionPrefix=$unique_solution_prefix servicePrincipalObjectId=$object_id_principal servicePrincipalClientId=$app_id_principal servicePrincipalClientSecret=$password_principal

I get this error

Deployment failed. Correlation ID: 5ac40d23-6e88-494d-849e-9147d230dc4f. {
  "error": {
    "code": "DeploymentNotFound",
    "message": "Deployment 'honoServiceBusDeployment' could not be found."
  }
}

any comment on this? (what is the difference between az group deployment create and kubectl apply btw, are they same concepts?)

[sophokles73]

These deployment ARM files have been contributed by Microsoft. I am far from an expert on the subject matter and do not know what the error means. @kaizimmerm can you help us out here?

[soheilade]

is there any config file for setting up basic hono infrastructure like the one in minikube? (to just play around with hono instances)

[sophokles73]

The az group deployment create command is for setting up the Kubernetes cluster on Azure. Deployment of Hono itself then is done using Hono's helm chart ...

[soheilade]

thanks Kai, I tried to build various branches of git repo but all of them fails, can you please specify which branch should i checkout for this command to succeed? mvn install -Pbuild-docker-image -Ddocker.registry=$acr_login_server

[sophokles73]

Not sure what you are trying to do. Is this still about setting up the AKS cluster on Azure? Or is this about deploying to an existing AKS cluster via an Azure Container Registry?

[soheilade]

I am trying to build the hono image from here and use helm to deploy hono from container registery. The problem of my azure cloud shell is the jvm version. Its 8 while hono needs 11. However, as i mentioned here, the deployement (i.e., HonoBasicInfrastructure ) i created from here failed.

[sophokles73]

If you are not able to set up the infrastructure on Azure (kubernetes cluster and container registry), then what are you trying to deploy to?

[soheilade]

well, i just wanted to see if i can build hono :D (I managed to build hono on my personal PC though, now I need to push it to my Azure acr).

However, I have an acr running, but the infrastructure command below fails; az group deployment create --name HonoBasicInfrastructure --resource-group $resourcegroup_name --template-file arm/honoInfrastructureDeployment.json --parameters uniqueSolutionPrefix=$unique_solution_prefix servicePrincipalObjectId=$object_id_principal servicePrincipalClientId=$app_id_principal servicePrincipalClientSecret=$password_principal This command is to create a k8s cluster using arm/honoInfrastructureDeployment.json, is there another alternative example infrastructure that I can use ? can I build a simple k8s cluster with az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys and use this one instead?

[sophokles73]

As I said, I am no expert in Azure AKS. But why don't you simply give it a shot and try?

[fkaltner]

Hi @soheilade!

Which Hono AMQP 1.0 Messaging Network do you intend to use? A self hosted Artemis or Azure's Service Bus?

See:

add the following parameter in case you want to opt for the Azure Service Bus as broker in the Hono AMQP 1.0 Messaging Network instead of deploying a (self-hosted) ActiveMQ Artemis into AKS: serviceBus=true

(source: https://www.eclipse.org/hono/docs/deployment/create-kubernetes-cluster/#setup)

[soheilade]

Hi @fkaltner , Thanks for the comment, I also set service parameter to true and I got this error. can it be that I am not using the right branch?

[fkaltner]

According to the template the parameter mentioned in the error message should be set to the value of uniqueSolutionPrefix:

"dnsPrefix": { "value": "[parameters('uniqueSolutionPrefix')]" },

Are you sure that the environment variable unique_solution_prefix is set on your machine?

[fkaltner]

I also think that you may not be using the "az" CLI correctly. As far as I understand from the docs (https://docs.microsoft.com/en-us/cli/azure/group/deployment?view=azure-cli-latest#az-group-deployment-create) you need a --parameters option for each parameter.

So I needs to be like --parameters uniqueSolutionPrefix=<your-prefix> --parameters serviceBus=true etc.

[soheilade]

Thanks Florian, I modified the command, It seems I have some problem with my quota limit but still there are some other label errors. any thought on this?

[sophokles73]

@soheilade the RE seems to indicate that you can only use lower case letters for the domain name which is derived from your uniqueSolutionPrefix (soheilaHono).

[soheilade]

thanks Kai, ok, it works now.

[soheilade]

helm init creates an error as follows

[sophokles73]

which version of helm are you using?

[sophokles73]

@soheilade there is no need to initialize tiller if you are using Helm >= 3 (which is recommended). I have tried to fix the problems discovered during this discussion. Would you mind giving it another shot based on the AKS setup guide using branch master?

[soheilade]

@soheilade there is no need to initialize tiller if you are using Helm >= 3 (which is recommended). I have tried to fix the problems discovered during this discussion. Would you mind giving it another shot based on the AKS setup guide using branch master?

apparently--parameters must be before every parameter we pass to this command az group deployment create --name HonoBasicInfrastructure --resource-group $resourcegroup_name --template-file arm/honoInfrastructureDeployment.json --parameters uniqueSolutionPrefix=$unique_solution_prefix --parameters servicePrincipalObjectId=$object_id_principal --parameters servicePrincipalClientId=$app_id_principal --parameters servicePrincipalClientSecret=$password_principal

the rest are 👍

[sophokles73]

@soheilade thanks for checking :+1: Are you sure about the --parameters flag being required for each parameter? The examples I have seen in Microsoft's online docs seem to suggest that you can specify multiple parameter assignments after a single --parameters (which would also be consistent with the plural form being used)

[soheilade]

I tried without parameters, it works as well :)

[sophokles73]

@soheilade can this be closed?