Domů Procházet Nápověda
Přihlásit se
akillibulut
/
cloudbridge
zrcadlo https://github.com/CloudVE/cloudbridge
2
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 16ca3c3a41
Větve Značky
cloudbridge
/
docs
/
topics
/
procuring_credentials.rst

procuring_credentials.rst 6.6 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. 

  2. Procuring access credentials
    3. 

  3. ----------------------------
    4. 

  4. To initialize a connection to a cloud and get a provider object, you will
    5. 

  5. need to provide the cloud's access credentials to CloudBridge. This page
    6. 

  6. will walk you through the process of procuring credentials. For more
    7. 

  7. information on providing these credentials to CloudBridge, see
    8. 

  8. `Providing Access Credentials <setup.html>`.
    9. 

  9. 

  10. **Microsoft Azure**
    11. 

  11. 

  12. For Microsoft Azure, the link below shows how to create service principle
    13. 

  13. credentials:
    14. 

  14. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
    15. 

  15. 

  16. After having a Microsoft Azure account, in order to have API access,
    17. 

  17. application credentials are needed. The following section will walk you
    18. 

  18. through the process of creating and/or locating all required credentials.
    19. 

  19. 

  20. Azure credentials require a `Subscription ID` which can be procured through
    21. 

  21. `Subscriptions` in the Azure portal.
    22. 

  22. 

  23. .. figure:: captures/az-sub-1.png
    24. 

  24.    :alt: Azure Subscriptions 1
    25. 

  25. 

  26.    Subscriptions can be accessed by searching, or by choosing `Subscriptions`
    27. 

  27.    in the `All Services` window
    28. 

  28. 

  29. .. figure:: captures/az-sub-2.png
    30. 

  30.    :alt: Azure Subscriptions 2
    31. 

  31. 

  32.    The `Subscription ID` will be found in the list of subscriptions
    33. 

  33. 

  34. 

  35. Another piece of credentials that already exists on any Azure account is a
    36. 

  36. `Tenant ID` which will correspond to the `Active Directory ID`, which can be
    37. 

  37. procured through the Azure Active Directory's `Properties`.
    38. 

  38. 

  39. .. figure:: captures/az-dir-1.png
    40. 

  40.    :alt: Azure Directory 1
    41. 

  41. 

  42.    The `Azure Active Directory` can be access by searching, or by choosing
    43. 

  43.    `Azure Active Directory` in the `All Services` window. `Azure Active
    44. 

  44.    Directory` is also a default favorite on the sidebar
    45. 

  45. 

  46. .. figure:: captures/az-dir-2.png
    47. 

  47.    :alt: Azure Directory 2
    48. 

  48. 

  49.    The `Directory ID` will be found in the Directory's `Properties` section
    50. 

  50. 

  51. 

  52. In order to access the API, an application needs to be registered and a key
    53. 

  53. needs to be created. After creating an application through the
    54. 

  54. `App Registrations` window under the `Active Directory`, the `Application
    55. 

  55. ID` of the app will correspond to the `Client ID` in CloudBridge, and the
    56. 

  56. generated value of its key, will correspond to the `Secret`.
    57. 

  57. 

  58. 

  59. .. figure:: captures/az-app-1.png
    60. 

  60.    :alt: Azure App 1
    61. 

  61. 

  62.    `App Registrations` can be access by searching, or through choosing `App
    63. 

  63.    Registrations` under `Azure Active Directory`
    64. 

  64. 

  65. .. figure:: captures/az-app-2.png
    66. 

  66.    :alt: Azure App 2
    67. 

  67. 

  68.    The `New Application Registration` button will allow users to create a
    69. 

  69.    new application
    70. 

  70. 

  71. .. figure:: captures/az-app-3.png
    72. 

  72.    :alt: Azure App 3
    73. 

  73. 

  74.    The `Name` has to be unique within the subscription and will be used to
    75. 

  75.    identify the `Application` later on. The `Sign-on URL` can be any
    76. 

  76.    URL-looking string. It does not have to point towards anything.
    77. 

  77. 

  78. .. figure:: captures/az-app-4.png
    79. 

  79.    :alt: Azure App 4
    80. 

  80. 

  81.    After creating the application, one must select it, after which the
    82. 

  82.    `Application ID` will map to the `Client ID` in CloudBridge
    83. 

  83. 

  84. .. figure:: captures/az-app-5.png
    85. 

  85.    :alt: Azure App 5
    86. 

  86. 

  87.    In the application's `Settings` panel, under the `Keys` section, one will
    88. 

  88.    be able to create a new `Secret`
    89. 

  89. 

  90. .. figure:: captures/az-app-6.png
    91. 

  91.    :alt: Azure App 6
    92. 

  92. 

  93.    Any name can be given to the key, and any expiration date, after which
    94. 

  94.    the `Save` button will generate the `Key` which will correspond to the
    95. 

  95.    `Secret` in CloudBridge
    96. 

  96. 

  97. .. figure:: captures/az-app-7.png
    98. 

  98.    :alt: Azure App 7
    99. 

  99. 

  100.    The value of the key will correspond to the `Secret` in CloudBridge and
    101. 

  101.    needs to be saved at creation-time
    102. 

  102. 

  103. 

  104. Finally, in order to have appropriate permissions, you must assign an
    105. 

  105. appropriate role to the newly created application. Permissions can be
    106. 

  106. assigned at the level of the Subscription, or at the level of each Resource
    107. 

  107. Group. `Contributor` access is recommended for general use in order to have
    108. 

  108. sufficient permissions to create and manage all types of resources, but
    109. 

  109. specific roles can also be assigned for more limited access.
    110. 

  110. 

  111. 

  112. .. figure:: captures/az-role-1.png
    113. 

  113.    :alt: Azure Roles 1
    114. 

  114. 

  115.    Subscription-level access will allow the application to access resources
    116. 

  116.    from multiple resource groups
    117. 

  117. 

  118. .. figure:: captures/az-role-2.png
    119. 

  119.    :alt: Azure Roles 2
    120. 

  120. 

  121.    When roles are set at the level of the Resource Group, one must specify
    122. 

  122.    this Resource Group as part of the credentials, as the application will
    123. 

  123.    not have enough permissions to create a Resource Group
    124. 

  124. 

  125. .. figure:: captures/az-role-3.png
    126. 

  126.    :alt: Azure Roles 3
    127. 

  127. 

  128.    Adding a role assignment to the application will give it appropriate
    129. 

  129.    permissions to manage resources
    130. 

  130. 

  131. 

  132. **Google**
    133. 

  133. 

  134. For Google Compute Engine, create a service account following instructions
    135. 

  135. from the link below:
    136. 

  136. https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account
    137. 

  137. 

  138. Once created, grant the account appropriate permissions for your use through
    139. 

  139. roles, and create a key, choosing JSON format, when prompted. These
    140. 

  140. credentials can then be used with CloudBridge through the variables shown
    141. 

  141. in the sections below.
    142. 

  142. 

  143. The JSON credentials file will have a similar form to the example shown
    144. 

  144. below, and can either be passed through an absolute path to the file, or
    145. 

  145. through a variable containing the JSON dictionary itself.
    146. 

  146. 

  147. 

  148. .. code-block:: json
    149. 

  149. 

  150.     {
    151. 

  151.       "type": "service_account",
    152. 

  152.       "project_id": "my-project",
    153. 

  153.       "private_key_id": "b12321312441245gerg245245g42c245g254t425",
    154. 

  154.       "private_key": "-----BEGIN PRIVATE KEY-----\nMIICWgIBAAKBgE1EJDPKM/2wck/CZYCS7F2cXoHXDBhXYtdeV+h70Nk+ABs6scAV\nApYoobJAVpDeL+lutYAwtbscNz5K915DiNEkBf48LhfBWc5ea07OnClOGC9zASja\nif6ujIdhbITaNat9rdG939gQWqyaDW4wzYfvurhfmxICNgZA1YpWco1HAgMBAAEC\ngYAc+vLtLelEPNsTSWGS0Qiwr8bOwl75/kTHbM5iF5ak9NlLXT9wQTEgKwtC9VjC\nq2OjFXAkLaDsFlAuICYaCBCXn1nUqNoYhaSEQNwGnWIz376letXg/mX+BALSPMFR\nhE6mbdmaL4OV1X8j8uf2VcrLfVFCCZfhPu/TM5D6bVFYoQJBAJRHNKYU/csAB/NE\nzScJBv7PltOAoYpxbyFZb1rWcV9mAn34382b0YBXbp3Giqvifs/teudUbRpAzzLm\n5gr8tzECQQCFZh4tNIzeZZYUqkQxrxgqnnONey1hX7K+BlGyC6n2o26sE+I7cLij\n2kbuWoSFMAIdM2Hextv9k+ZrwUas4V33AkAfi9Korvib0sLeP7oB3wrM9W9aShiU\nMrP4/WUSh2MRb8uB74v123vD+VYAXTgtf3+JTzYBt1WK61TpuHQizEdRAkBjt8hL\nBoNfJBUicXz0nuyzvyql0jREG+NjhRnAvFNbGSR74Yk14bdEVMC9IFD7tr190pEQ\nlRqR3eNbHWmVhgpVAkBgveeM73R1tFXS6UosBtfDI1zut44Ce0RoADOIxjXqgjOi\nXSrevYvoKCl09yhLNAnKD+QvT/YbshW/jibYXwdj\n-----END PRIVATE KEY-----",
    155. 

  155.       "client_email": "service-name@my-project.iam.gserviceaccount.com",
    156. 

  156.       "client_id": "13451345134513451345",
    157. 

  157.       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    158. 

  158.       "token_uri": "https://oauth2.googleapis.com/token",
    159. 

  159.       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    160. 

  160.       "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-name%40my-project.iam.gserviceaccount.com"
    161. 

  161.     }
    162.