From 812a2dfb951738c58739884ecf97b15ab3e89648 Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Fri, 11 Jan 2019 21:49:10 +0000 Subject: [PATCH] Update documentation --- .../source/docs/builders/azure-setup.html.md | 40 +++++-------------- website/source/docs/builders/azure.html.md | 28 ++++++++++--- 2 files changed, 32 insertions(+), 36 deletions(-) diff --git a/website/source/docs/builders/azure-setup.html.md b/website/source/docs/builders/azure-setup.html.md index de107a78c..99173fe5e 100644 --- a/website/source/docs/builders/azure-setup.html.md +++ b/website/source/docs/builders/azure-setup.html.md @@ -204,37 +204,12 @@ Make sure that `GROUPNAME` and `LOCATION` are the same as above. Also, ensure that `GROUPNAME` is less than 24 characters long and contains only lowercase letters and numbers. -### Create an Application - -An application represents a way to authorize access to the Azure API. Note that -you will need to specify a URL for your application (this is intended to be -used for OAuth callbacks) but these do not actually need to be valid URLs. - -First pick APPNAME, APPURL and PASSWORD: - -``` shell -APPNAME=packer.test -APPURL=packer.test -PASSWORD=xxx -``` - -Password is your `client_secret` and can be anything you like. I recommend -using `openssl rand -base64 24`. - -``` shell -$ az ad app create \ - --display-name $APPNAME \ - --identifier-uris $APPURL \ - --homepage $APPURL \ - --password $PASSWORD -``` - ### Create a Service Principal -You cannot directly grant permissions to an application. Instead, you create a -service principal and assign permissions to the service principal. To create a -service principal for use with Packer, run the below command specifying the -subscription. This will grant Packer the contributor role to the subscription. +A service principal acts on behalf of an application (Packer) on your Azure +subscription. To create an application and service principal for use with +Packer, run the below command specifying the subscription. This will grant +Packer the contributor role to the subscription. The output of this command is your service principal credentials, save these in a safe place as you will need these to configure Packer. @@ -263,8 +238,13 @@ pre-configured roles via: $ az role definition list --output json | jq ".[] | {name:.roleName, description:.description}" ``` +If you would rather use a certificate to autenticate your service principal, +please follow the [Azure Active Directory documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad). + ### Configuring Packer Now (finally) everything has been setup in Azure and our service principal has been created. You can use the output from creating your service principal in -your template. +your template. Use the value from the `appId` field above as a value for +`client_id` in your configuration and set `client_secret` to the `password` +value from above. diff --git a/website/source/docs/builders/azure.html.md b/website/source/docs/builders/azure.html.md index 3ed470369..8caf44848 100644 --- a/website/source/docs/builders/azure.html.md +++ b/website/source/docs/builders/azure.html.md @@ -35,12 +35,15 @@ addition to the options listed here, a [communicator](/docs/templates/communicator.html) can be configured for this builder. -### Required ( unless instance has [managed identities](/docs/builders/azure-setup.html#managed-identities-for-azure-resources) enabled): - -- `client_id` (string) The Active Directory service principal associated with - your builder. - -- `client_secret` (string) The password or secret for your service principal. +### Required options for authentication: +If you're running packer on an Azure VM with a [managed identity](/docs/builders/azure-setup.html#managed-identities-for-azure-resources) +you don't need to specify any additional configuration options. +If you would like to use interactive user authentication, you should specify +`subscription_id` only. Packer will use cached credentials or redirect you +to a website to log in. +If you want to use a [service principal](/docs/builders/azure-setup.html#create-a-service-principal) +you should specify `subscription_id`, `client_id` and one of `client_secret`, +`client_cert_path` or `client_jwt`. - `subscription_id` (string) Subscription under which the build will be performed. **The service principal specified in `client_id` must have full @@ -48,6 +51,19 @@ builder. specified in which case it needs to have owner access to the existing resource group specified in build\_resource\_group\_name parameter.** +- `client_id` (string) The Active Directory service principal associated with + your builder. + +- `client_secret` (string) The password or secret for your service principal. + +- `client_cert_path` (string) The location of a PEM file containing a + certificate and private key for service principal. + +- `client_jwt` (string) The bearer JWT assertion signed using a certificate + associated with your service principal principal. See [Azure Active + Directory docs](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials) + for more information. + ### Required: - `image_publisher` (string) PublisherName for your base image. See