Creating cloud service provider credentials

A few resources need to be created on the cloud service provider level to support the creation of the Anjuna Confidential Pod, such as:

  • Network interfaces

  • Virtual machine disks

  • Storage containers

  • The Anjuna Confidential Pod itself (using a confidential VM based on AMD SEV-SNP hardware)

To manage these resources, the Anjuna Cloud Adaptor needs to authenticate itself to your cloud service provider, such as Azure, which is done through a set of credentials that is part of the Anjuna Cloud Adaptor configuration.

The credentials are also referred to as a "Service Principal". The next section illustrates how to configure the credentials.

Service Principal for the Anjuna Cloud Adaptor

The Anjuna Cloud Adaptor manages confidential virtual machines and other Azure resources (such as networks) so that applications are deployed as Anjuna Confidential Pods running on AMD SEV-SNP.

To do so, the Anjuna Cloud Adaptor must have "Contributor" permissions within your Azure subscription or resource group. The Anjuna Cloud Adaptor must also have at least "Reader" permission for the Shared Image Galleries that host the Anjuna Confidential Pod images that will be deployed to the cluster.

To create a Service Principal in Azure, you must be at least a Cloud Application Administrator in Microsoft Entra ID (formerly known as Azure Active Directory). This is a privileged role, and many organizations have strict policies around who can be assigned to this role.

If you do not have permission, ask your organization’s IT administrator to create the Service Principal below. Once the Service Principal is created, you can retrieve its credentials and export the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID accordingly (refer to the tab Use an existing Service Principal below).

Select a tab below depending on whether you want to create a new set of credentials, which requires elevated privileges, or use existing credentials (e.g., that were provided to you by your IT organization):

  • Create a new Service Principal

  • Use an existing Service Principal

The following command creates credentials using a new App Registration in Azure Entra ID (formerly known as Azure Active Directory). The "Contributor" role is scoped to the subscription.

$ export AZURE_SUBSCRIPTION_ID="$(az account show -o tsv --query id)"
$ export SERVICE_PRINCIPAL_NAME="anjuna-kubernetes-cloud-adaptor-${RANDOM}"
$ export SP_OUTPUT=$(az ad sp create-for-rbac \
  -n ${SERVICE_PRINCIPAL_NAME} \
  --role Contributor \
  --scopes "/subscriptions/${AZURE_SUBSCRIPTION_ID}" \
  --query "{ AZURE_CLIENT_ID: appId, AZURE_CLIENT_SECRET: password, AZURE_TENANT_ID: tenant }")

Then run the following commands to configure your environment before proceeding:

$ export AZURE_CLIENT_ID="$(echo ${SP_OUTPUT} | jq -r .AZURE_CLIENT_ID)"
$ export AZURE_CLIENT_SECRET="$(echo ${SP_OUTPUT} | jq -r .AZURE_CLIENT_SECRET)"
$ export AZURE_TENANT_ID="$(echo ${SP_OUTPUT} | jq -r .AZURE_TENANT_ID)"

If you want to use the credentials for an existing Service Principal, then export the client ID, the client secret, and the tenant ID of your Service Principal as follows:

$ export AZURE_CLIENT_ID="<client-id>"
$ export AZURE_CLIENT_SECRET="<client-secret>"
$ export AZURE_TENANT_ID="<tenant-id>"