Add a Microsoft Azure Cloud Connector

Updated 1 week ago by Michael Cretzman

Currently, this feature is behind the feature flag NG_Azure. Contact Harness Support to enable the feature.

This topic explains how to connect Harness to the Microsoft Azure cloud. Using this Connector, you can pull Azure artifacts and deploy your applications to Azure using Harness.

Using Harness Cloud Cost Management (CCM)? See Set Up Cloud Cost Management for Azure.

Before You Begin

Limitations

  • Currently, the Microsoft Azure Cloud Connector is for ACR and AKS. Support for other services such as Web Apps, Virtual Machines for IIS and Traditional (SSH) deployments, ARM, and Blueprint are coming soon.

Visual Summary

The following example shows how to connect Harness to Azure using the Azure Cloud Connector and an Azure App registration.

Review: Permissions

This section assumes you're familiar with Azure RBAC. For details, Assign Azure roles using the Azure portal from Azure.

This graphic from Azure can be helpful as a reminder of how Azure manages RBAC:

For security reasons, Harness uses an application object and service principal rather than a user identity. The process is described in How to: Use the portal to create an Azure AD application and service principal that can access resources from Azure.

Permissions List

We cover the roles needed for Azure services in later sections. In this section, we provide the permissions needed in case you want to use them with a custom role.

The following permissions (actions) are necessary for any user (Service Principal or Managed Identity):

  • Listing subscriptions:
  • Listing registries, repositories, and tags:
    • Microsoft.ContainerRegistry/registries/pull/read
    • Microsoft.ContainerRegistry/registries/read
    • Microsoft.ContainerRegistry/registries/builds/read
    • Microsoft.ContainerRegistry/registries/metadata/read
    • See Microsoft.ContainerRegistry.
  • For listing Kubernetes clusters:
  • For Kubernetes deployments:
    • Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
    • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
    • See Microsoft.ContainerService.

Here is the JSON for creating a custom role with these permissions (replace xxxx with the role name, subscription Id, and resource group Id):

{
"properties":{
"roleName":"xxxx",
"description":"",
"assignableScopes":[
"/subscriptions/xxxx/resourceGroups/xxxx"
],
"permissions":[
{
"actions":[
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/builds/read",
"Microsoft.ContainerRegistry/registries/metadata/read",
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action"
],
"notActions":[

],
"dataActions":[

],
"notDataActions":[

]
}
]
}
}

Azure Container Repository (ACR) Roles

The Reader role must be assigned. This is the minimum requirement.

You must provide the Reader role in the role assignment at the Subscription level used by the Application (Client) Id entered in the Connector. The application needs permission to list all container registries.

Some common mistakes:

  • If you put the Reader role in a different IAM section of Azure.
  • If you provide only the AcrPull role instead of Reader. It might appear that the AcrPull role gives access to a specific registry, but Harness needs to list all registries.
Harness supports 500 images from an ACR repo. If you don't see some of your images you might have exceeded this limit. This is the result of an Azure API limitation.

If you connect to an ACR repo via the platform agnostic Docker Connector, the limit is 100.

Azure Kubernetes Services (AKS) Roles

If you use Microsoft Azure Cloud Connector and Service Principal or Managed Identity credentials, the Owner role must be assigned.

Here are the options for connecting Harness to your target AKS cluster:

  • Install a Kubernetes Delegate in the target AKS cluster and use it for authentication in a Harness Kubernetes Cluster Connector. The Harness Kubernetes Cluster Connector is platform-agnostic.
    • You won't need to provide Microsoft Azure Service Principal or Managed Identity credentials.
  • Install a Kubernetes Delegate in the target AKS cluster and use it for authentication in a Harness Microsoft Azure Cloud Connector, as described in this topic.
    • You'll need to provide the Microsoft Azure Environment.
    • If you use a User Assigned Managed Identity, you will need to provide the Application (client) Id.
    • If you use a System Assigned Managed Identity, you do not need to provide any Ids.
  • Use a Microsoft Azure Cloud Connector and Service Principal or Managed Identity credentials, as described in this topic. In this option, the Owner role must be assigned.

Step 1: Add the Azure Cloud Connector

You can add the Azure Cloud Connector inline, when adding artifacts or setting up the target infrastructure for a deployment Pipeline stage, or you can add the Connector separately and use it whenever you need it.

To add the Connector separately, in your Account, Org, or Project Connectors, click New Connector.

Click Azure.

Enter a name for the Connector. Harness automatically creates the Id (Entity Identifier) for the Connector. You can edit the Id before the Connector is saved. Once it is saved, it is immutable.

Add a Description and Tags if needed.

Click Continue.

Option: Credentials or Inherit from Delegate

In Details, you can select how you'd like Harness to authenticate with Azure.

Delegate

If you have a Harness Delegate installed in your Azure subscription (preferably in your target AKS cluster) you can select Use the credentials of a specific Harness Delegate.

For steps on installing a Delegate, see Delegate Installation Overview.

In Environment, select Azure Global or US Government.

In Authentication, select System Assigned Managed Identity or User Assigned Managed Identity.

In you selected User Assigned Managed Identity, in Client Id, enter the Application (Client) Id from your App Registration.

This is the Client/Application Id for the Azure app registration you are using. It is found in the Azure Active Directory App registrations. For more information, see Quickstart: Register an app with the Azure Active Directory v1.0 endpoint from Microsoft.

Credentials

Using Azure credentials is covered in the following steps.

Step 2: Gather the Required Information

In Microsoft Azure, you can find the information you need on the App registration Overview page:

Step 3: Environment

In Environment, select Azure Global or US Government.

Step 4: Application (Client) Id

This is the Application (Client) Id for the Azure app registration you are using. It is found in the Azure Active Directory (AAD) App registrations. For more information, see Quickstart: Register an app with the Azure Active Directory v1.0 endpoint from Microsoft.

To access resources in your Azure subscription, you must assign the Azure App registration using this Application Id to a role in that subscription.

For more information, see Assign the application to a role and Use the portal to create an Azure AD application and service principal that can access resources from Microsoft.

Step 5: Tenant (Directory) Id

The Tenant Id is the ID of the Azure Active Directory (AAD) in which you created your application. This Id is also called the Directory ID. For more information, see Get tenant ID and Use the portal to create an Azure AD application and service principal that can access resources from Azure.

Step 6: Secret or Certificate

In Authentication, select Secret or Certificate.

This is the authentication key for your application. This is found in Azure Active Directory, App Registrations. Click the App name. Click Certificates & secrets, and then click New client secret.

You cannot view existing secret values, but you can create a new key. For more information, see Create a new application secret from Azure.

If you select Secret, create or use an existing Harness Text Secret.

If you select Certificate, create or use an existing Harness File Secret.

Step 7: Delegates Setup

Select the Delegate(s) to use with this Connector.

Click Save and Continue.

In Connection Test, the connection is verified.

If you run into errors, make sure that your Delegate is running and that your credentials are valid. For example, check that the secret has not expired in your App registration.

See Also


Please Provide Feedback