The following procedure describes how to import a image version from a Shared Gallery in "Tenant 1" into a Shared Gallery deployed in the context of (another) "Tenant 2".
It is based on the guide Share gallery VM images across Azure tenants using PowerShell.
$ packer build ./image-demo.json
…
$ az image list
[
{
"name": "Ubuntu-MyEdition",
...
]
export LOCATION=westeurope
export CENTRAL_TENANT_ID=aaaaaaaa-0000-0000-0000-000000000000
export CENTRAL_SUB_ID=bbbbbbbbb-0000-0000-0000-000000000000
export CENTRAL_RG_NAME=imagegalleries-d02
export CENTRAL_SIG_NAME=busigcentral2
export SHARED_TENANT_ID=cccccccc-0000-0000-0000-000000000000
export SHARED_SUB_ID=dddddddd-0000-0000-0000-000000000000
export SHARED_RG_NAME=imagegallery-d02
export SHARED_SIG_NAME=busigremoteforeign2
az group create \
--subscription $CENTRAL_SUB_ID \
--location $LOCATION \
--name $CENTRAL_RG_NAME
az sig create \
--subscription $CENTRAL_SUB_ID \
--resource-group $CENTRAL_RG_NAME \
--gallery-name $CENTRAL_SIG_NAME
az sig image-definition create \
--subscription $CENTRAL_SUB_ID \
--resource-group $CENTRAL_RG_NAME \
--gallery-name $CENTRAL_SIG_NAME \
--os-type "Linux" \
--publisher "bastianulke-Corp" \
--gallery-image-definition "Ubuntu-MyEdition" \
--offer "0001-com-ubuntu-server-focal" \
--sku "20_04-lts"
MANAGED_IMAGE_ID=$(az image list --query "[?name=='Ubuntu-MyEdition'].id" -o tsv)
az sig image-version create \
--resource-group $CENTRAL_RG_NAME \
--gallery-name $CENTRAL_SIG_NAME \
--gallery-image-definition "Ubuntu-MyEdition" \
--gallery-image-version "0.0.1" \
--managed-image $MANAGED_IMAGE_ID
(If you want to replace https://www.microsoft.com with another URI of your prference, make make sure to also change the URL in the later step accordingly.)
export APP_ID=<Paste App Registration id here.>
Either add a secret or create and upload a certificate for authentication.
export APP_SECRET=<Paste App Registration secret value here.>
Change values of variables CERT_NAME
and CERT_SUBJ
to match your organization / service principal.
CERT_NAME=service-principal-cert
CERT_SUBJ="/C=7K/ST=The North/L=Winterfell/O=House Stark/CN=$CERT_NAME"
openssl genpkey -out $CERT_NAME.key -algorithm RSA -pkeyopt rsa_keygen_bits:4096
openssl req -new -key $CERT_NAME.key -out $CERT_NAME.csr -subj "$CERT_SUBJ"
openssl x509 -req -days 365 -in $CERT_NAME.csr -signkey $CERT_NAME.key -out $CERT_NAME.crt
cat $CERT_NAME.key > $CERT_NAME.pem
cat $CERT_NAME.crt >> $CERT_NAME.pem
Upload the created .crt
file as certificate:
az role assignment create \
--role "Reader" \
--scope "/subscriptions/$CENTRAL_SUB_ID/resourceGroups/$CENTRAL_RG_NAME/providers/Microsoft.Compute/galleries/$CENTRAL_SIG_NAME" \
--assignee "$APP_ID"
(see guide Share gallery VM images across Azure tenants using PowerShell for reference)
(Remember to adopt query parameter redirect_uri
if you decided to replace https://www.microsoft.com with another URL of your preference above.)
echo "https://login.microsoftonline.com/$SHARED_TENANT_ID/oauth2/authorize?client_id=$APP_ID&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F"
Call URL in browser and log in with an account of Tenant 2 ("Shared Tenant"), adding the app to tenant 2.
Log in to tenant 2 in Azure Portal and browse to Enterprise Application (but not App Registrations!) and see if the application registration created above lists here with the same id:
az login
az group create \
--subscription $SHARED_SUB_ID \
--location $LOCATION \
--name $SHARED_RG_NAME
az sig create \
--subscription $SHARED_SUB_ID \
--resource-group $SHARED_RG_NAME \
--gallery-name $SHARED_SIG_NAME
az sig image-definition create \
--subscription $SHARED_SUB_ID \
--resource-group $SHARED_RG_NAME \
--gallery-name $SHARED_SIG_NAME \
--os-type "Linux" \
--publisher "bastianulke-Corp" \
--gallery-image-definition "Ubuntu-MyEdition" \
--offer "0001-com-ubuntu-server-focal" \
--sku "20_04-lts"
Grant app registration Contributor rights on Shared Image Gallery and Reader rights on containing Resource Group
az role assignment create \
--role "Contributor" \
--scope "/subscriptions/$SHARED_SUB_ID/resourceGroups/$SHARED_RG_NAME/providers/Microsoft.Compute/galleries/$SHARED_SIG_NAME" \
--assignee $APP_ID
az role assignment create \
--role "Reader" \
--scope "/subscriptions/$SHARED_SUB_ID/resourceGroups/$SHARED_RG_NAME" \
--assignee $APP_ID
Depending on which authentication method had been chosen above, either login with a secret or your certificate and private key./
az account clear
az login --service-principal -u $APP_ID -p $APP_SECRET --tenant $CENTRAL_TENANT_ID
az login --service-principal -u $APP_ID -p $APP_SECRET --tenant $SHARED_TENANT_ID
az account clear
az login --service-principal -u $APP_ID -p ./$CERT_NAME.pem --tenant $CENTRAL_TENANT_ID
az login --service-principal -u $APP_ID -p ./$CERT_NAME.pem --tenant $SHARED_TENANT_ID
az sig image-version create \
--subscription $SHARED_SUB_ID \
--resource-group $SHARED_RG_NAME \
--gallery-name $SHARED_SIG_NAME \
--gallery-image-definition "Ubuntu-MyEdition" \
--gallery-image-version "0.0.1" \
--managed-image "/subscriptions/$CENTRAL_SUB_ID/resourceGroups/$CENTRAL_RG_NAME/providers/Microsoft.Compute/galleries/$CENTRAL_SIG_NAME/images/Ubuntu-MyEdition/versions/0.0.1"