Permalink
Fetching contributors…
Cannot retrieve contributors at this time
112 lines (65 sloc) 4.76 KB
title author date output vignette
Authenticating AzureSMR to call the Azure API
Alan Weaver and Andrie de Vries
`r Sys.Date()`
rmarkdown::html_vignette
%\VignetteIndexEntry{AzureSMR authentication} %\VignetteEngine{knitr::rmarkdown} %\usepackage[utf8]{inputenc}

Configuration instructions

To use the AzureSMR package, you must create an Azure Active Directory application with permisssions. This vignette contains instructions to do this.

You must collect three pieces of information to authenticate with the createAzureContext() function:

  • tenant ID (tenantID)
  • application ID, previously known as client ID (clientID)
  • authentication key (authKey)

Create an Active Directory application.

  1. Login to the Azure Portal.

  2. On the left side of the screen, there should be a list of the different things you can create in Azure. Click on "Azure Active Directory".

  3. The AAD blade should appear. Under "Manage", click on "App registrations".

  4. Along the top menu, click "New application registration".

  5. In the Create blade, enter the details for your new application. The name should be unique, and the "application type must be Web app/API". It doesn't matter what sign-on URL you provide (it won't be used), but it must be a valid URL.

  6. Click on "Create". After a few seconds, a new blade will appear containing a list of all registered AAD applications.

  7. First, get your tenant ID from this screen. Click on "Endpoints" at the top of the blade. This will popup a new blade giving several URLs for accessing the client.

  8. Choose one of these (it doesn't matter which one) and click the button on the side to copy the URL to the clipboard.

  9. Paste the URL into Notepad or another text editor. It will contain a sequence of hex digits in the middle, which is your tenant ID.

  10. Return to the list of apps by closing the Endpoints blade. Find your app by entering the name you chose into the search box.

  11. When your app appears in the list, click on it. In the details, note the application ID.

  12. The Settings blade for your app should also be on the screen. Click on the "Keys" entry.

  13. You will need to create a new authentication key. Enter a name for it, choose a 1 year duration (or 2) and click "Save" at the top of the blade. When the key is generated, copy it and save it somewhere. You won't be able to see it again, so make sure you copy it now.

  14. Return to your app settings by closing the Keys blade. Click the "Required permissions" entry.

  15. In the permissions blade, click "Add". Click on "Select an API" and choose "Windows Azure Service Management API". Then click Select at the bottom of the blade.

  16. This should bring up the Enable Access blade. Check the tick box next to "Delegated permissions" and click Select at the bottom of the blade.

  17. Click Done at the bottom of the permissions blade.

Access control

You can apply access control at either the resource group level or the subscription level

To apply access control at Resource Group

  1. Click on Resource Groups menu item on the left in the portal.

  2. Identify the resource group you will associate with this application.

  3. Choose the Access Control (IAM) menu item from the Resource scope.

  4. In the resulting scope click the + Add button.

  5. Choose the role as Owner and under the user search box enter the name of the App, e.g. AzureSMR.

  6. Select the resulting list item for that App then click Select in that scope then OK in the Add access scope. The user will be added to the list.

Alternatively you can access control at Subscription Level

  1. Click on Subscriptions on the left menu item in the portal.

  2. Identify the Subscription you will associate with this application.

  3. Choose the Access Control (IAM) menu item.

  4. In the resulting scope click the + Add button.

  5. Choose the role as Owner and under the user search box enter the name of the App, e.g. AzureSMR.

  6. Select the resulting list item for that App then click Select in that scope then OK in the "Add access" scope. The user will be added to the list.

Conclusion

That is all. You can test this by trying:

sc <- createAzureContext(tenantID = "{TID}", clientID = "{CID}", authKey= "{KEY}")
rgs <- azureListRG(sc)
rgs

or using the "DeviceCode" flow if supported by that resource by trying:

sc <- createAzureContext(tenantID = "{TID}", clientID = "{CID}", authType= "DeviceCode")
# Manually authenicate using DeviceCode flow
rgs <- azureListRG(sc)
rgs

For more information see the tutorial Use portal to create Active Directory application and service principal that can access resources