cloudbridge/docs/topics/procuring_credentials.rst

Procuring access credentials
----------------------------
To initialize a connection to a cloud and get a provider object, you will
need to provide the cloud's access credentials to CloudBridge. This page
will walk you through the process of procuring credentials. For more
information on providing these credentials to CloudBridge, see
`Providing Access Credentials <setup.html>`_.

**Microsoft Azure**

The page linked below from the Microsoft Documentation was used to create this
section, and can be followed instead of this CloudBridge-specific documentation
to procure Azure credentials for other purposes.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

In order to follow the isntructions below, one needs a Microsoft Azure
account and Subscription, as well as portal access.
The following section will walk you through the process of creating an
application, which is required for API access, as well as help you locate
all required Azure credentials for CloudBridge.

Azure credentials require a `Subscription ID` which can be procured through
`Subscriptions` in the Azure portal.

.. figure:: captures/az-sub-1.png
   :alt: Azure Subscriptions 1

   Subscriptions can be accessed by searching, or by choosing `Subscriptions`
   in the `All Services` window

.. figure:: captures/az-sub-2.png
   :alt: Azure Subscriptions 2

   The `Subscription ID` will be found in the list of subscriptions


Another piece of credentials that already exists on any Azure account is a
`Tenant ID` which will correspond to the `Active Directory ID`, which can be
procured through the Azure Active Directory's `Properties`.

.. figure:: captures/az-dir-1.png
   :alt: Azure Directory 1

   The `Azure Active Directory` can be access by searching, or by choosing
   `Azure Active Directory` in the `All Services` window. `Azure Active
   Directory` is also a default favorite on the sidebar

.. figure:: captures/az-dir-2.png
   :alt: Azure Directory 2

   The `Directory ID` will be found in the Directory's `Properties` section


In order to access the API, an application needs to be registered and a key
needs to be created. After creating an application through the
`App Registrations` window under the `Active Directory`, the `Application
ID` of the app will correspond to the `Client ID` in CloudBridge, and the
generated value of its key, will correspond to the `Secret`.


.. figure:: captures/az-app-1.png
   :alt: Azure App 1

   `App Registrations` can be access by searching, or through choosing `App
   Registrations` under `Azure Active Directory`

.. figure:: captures/az-app-2.png
   :alt: Azure App 2

   The `New Application Registration` button will allow users to create a
   new application

.. figure:: captures/az-app-3.png
   :alt: Azure App 3

   The `Name` has to be unique within the subscription and will be used to
   identify the `Application` later on. The `Sign-on URL` can be any
   URL-looking string. It does not have to point towards anything.

.. figure:: captures/az-app-4.png
   :alt: Azure App 4

   After creating the application, one must select it, after which the
   `Application ID` will map to the `Client ID` in CloudBridge

.. figure:: captures/az-app-5.png
   :alt: Azure App 5

   In the application's `Settings` panel, under the `Keys` section, one will
   be able to create a new `Secret`

.. figure:: captures/az-app-6.png
   :alt: Azure App 6

   Any name can be given to the key, and any expiration date, after which
   the `Save` button will generate the `Key` which will correspond to the
   `Secret` in CloudBridge

.. figure:: captures/az-app-7.png
   :alt: Azure App 7

   The value of the key will correspond to the `Secret` in CloudBridge and
   needs to be saved at creation-time


Finally, in order to have appropriate permissions, you must assign an
appropriate role to the newly created application. Permissions can be
assigned at the level of the Subscription, or at the level of each Resource
Group. `Contributor` access is recommended for general use in order to have
sufficient permissions to create and manage all types of resources, but
specific roles can also be assigned for more limited access.


.. figure:: captures/az-role-1.png
   :alt: Azure Roles 1

   Subscription-level access will allow the application to access resources
   from multiple resource groups

.. figure:: captures/az-role-2.png
   :alt: Azure Roles 2

   When roles are set at the level of the Resource Group, one must specify
   this Resource Group as part of the credentials, as the application will
   not have enough permissions to create a Resource Group

.. figure:: captures/az-role-3.png
   :alt: Azure Roles 3

   Adding a role assignment to the application will give it appropriate
   permissions to manage resources


**Google**

For Google Compute Engine, create a service account following instructions
from the link below:
https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account

Once created, grant the account appropriate permissions for your use through
roles, and create a key, choosing JSON format, when prompted. These
credentials can then be used with CloudBridge through the variables shown
in the sections below.

The JSON credentials file will have a similar form to the example shown
below, and can either be passed through an absolute path to the file, or
through a variable containing the JSON dictionary itself.


.. code-block:: json

    {
      "type": "service_account",
      "project_id": "my-project",
      "private_key_id": "b12321312441245gerg245245g42c245g254t425",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIICWgIBAAKBgE1EJDPKM/2wck/CZYCS7F2cXoHXDBhXYtdeV+h70Nk+ABs6scAV\nApYoobJAVpDeL+lutYAwtbscNz5K915DiNEkBf48LhfBWc5ea07OnClOGC9zASja\nif6ujIdhbITaNat9rdG939gQWqyaDW4wzYfvurhfmxICNgZA1YpWco1HAgMBAAEC\ngYAc+vLtLelEPNsTSWGS0Qiwr8bOwl75/kTHbM5iF5ak9NlLXT9wQTEgKwtC9VjC\nq2OjFXAkLaDsFlAuICYaCBCXn1nUqNoYhaSEQNwGnWIz376letXg/mX+BALSPMFR\nhE6mbdmaL4OV1X8j8uf2VcrLfVFCCZfhPu/TM5D6bVFYoQJBAJRHNKYU/csAB/NE\nzScJBv7PltOAoYpxbyFZb1rWcV9mAn34382b0YBXbp3Giqvifs/teudUbRpAzzLm\n5gr8tzECQQCFZh4tNIzeZZYUqkQxrxgqnnONey1hX7K+BlGyC6n2o26sE+I7cLij\n2kbuWoSFMAIdM2Hextv9k+ZrwUas4V33AkAfi9Korvib0sLeP7oB3wrM9W9aShiU\nMrP4/WUSh2MRb8uB74v123vD+VYAXTgtf3+JTzYBt1WK61TpuHQizEdRAkBjt8hL\nBoNfJBUicXz0nuyzvyql0jREG+NjhRnAvFNbGSR74Yk14bdEVMC9IFD7tr190pEQ\nlRqR3eNbHWmVhgpVAkBgveeM73R1tFXS6UosBtfDI1zut44Ce0RoADOIxjXqgjOi\nXSrevYvoKCl09yhLNAnKD+QvT/YbshW/jibYXwdj\n-----END PRIVATE KEY-----",
      "client_email": "service-name@my-project.iam.gserviceaccount.com",
      "client_id": "13451345134513451345",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-name%40my-project.iam.gserviceaccount.com"
    }