How to set up azure credentials?

[spinus]

I have troubles to provide credentials.
Currently I took just network from examples and I'm having problem with launching it.

My username is my email (not microsoft email or anything like that), password set by env variable.
Authority URL: https://management.azure.com/, but I also tried https://login.windows.net/TENANT_ID (where tenant is properly set, this was mentioned in docs)
and subscription is set in config as well.

with https://management.azure.com/ I have an error:

def-group.........................> Failed getting access to Azure resource group 'nixops-0686a4eb-01ed-11e7-a282-0242bf42bf99-def-group'
error: Auth failure: Could not determine tenant.

but with https://login.windows.net/TENANT_ID

def-group.........................> Failed getting access to Azure resource group 'nixops-0686a4eb-01ed-11e7-a282-0242bf42bf99-def-group'
error: Auth failure: Error:Error:Error:Server returned error in RSTR - ErrorCode: InvalidRequest : FaultMessage: Invalid Request token_response:None token_response:None token_response:None

My user is admin, and only user (I'm using free subscription to test azure).

If anybody has any experience with setting this up, I could update documentation to make it more straight forward.

[colemickens]

The Authority URL is going to https://login.microsoftonline.com/common or https://login.microsoftonline.com/{TENANT_ID}, but I don't think you really need to actually be setting it. I'm pretty sure I just set tenant id, user/pass.

You will likely also need to use a Tenant-specific email address instead of raw username/password. (@Phreedom do you remember)? I'd recommend you create a Service Principal and give it appropriate permissions rather than using your own personal account credentials as well.

[spinus]

@colemickens thank you.
Do you know how to get tenant specific user email? (either web or azure cli)

I was thinking about setting up service principle but if I understand that correctly it's bound to an app, and an app requires URL which is used to authentication in the app, is that right? (my idea was to create nixops app which would be just API client, without providing any service) What is the way to do it?

[colemickens]

You'd have to go into your AAD Tenant and add a user account for yourself. You can probably just use MSA credentials. I think that's what @Phreedom was doing.

Yes, you can make an AAD "Application" to get a Service Principal. The application AppID is the ClientID and the SP password is the ClientSecret that you'd use to login. I had one "App/SP" that I used for my NixOps operations, yes. That's a good model.

You still have to provision the AAD app (and I think possibly that has to be done in the legacy portal still) and make it a "Web application" but you don't actually need to create an OAuth web app in order to just use the App/SP credentials for something like nixops. Yes, it's confusing and annoying, unfortunately.

[spinus]

@colemickens, thank you, I'll try.

[domenkozar]

What's the status of this?

[spinus]

swamped into other stuff and had no time to properly test it, but I plan to do that before end of the month (but no promisses :)

[Mic92]

@spinus did you manage to do it? I get:

nixops deploy
def-group....................> Failed getting access to Azure resource group 'nixops-901ae4d9-4125-11e7-b684-00155d678105-def-group'
error: Auth failure: Error:Error:Server returned an unknown AccountType: unknown token_response:None token_response:None

error messages are SNAFU as usual ... next time I will use a different provider again.

[spinus]

Nope, I had no time to fight with it.

[hyphon81]

Eventually, isn't it succeeded accessing with username and password?