List of supported clouds > Microsoft Azure
This document describes details specific to using your existing Microsoft Azure cloud with Juju.
See more: Microsoft Azure
When using the Microsoft Azure cloud with Juju, it is important to keep in mind that it is a (1) machine cloud and (2) not some other cloud.
See more: Cloud differences in Juju
As the differences related to (1) are already documented generically in our Tutorial, How-to guides, and Reference docs, here we record just those that follow from (2).
Juju points of variation | Notes for the Microsoft Azure cloud |
---|---|
setup (chronological order): | |
CLOUD | |
supported versions: | |
requirements: | If you’re in a locked-down environment: Permissions: - - - - - - - - - - - - |
definition: | ![]() |
- name: | azure or user-defined |
- type: | azure |
- authentication types: | [interactive, service-principal-secret, managed-identity] (managed-identity only starting with Juju 3.6) |
- regions: | [TO BE ADDED] |
- cloud-specific model configuration keys: | load-balancer-sku-name (string) Mirrors the LoadBalancerSkuName type in the Azure SDK. network (string) resource-group-name (string) |
CREDENTIAL | |
definition: | auth-type : interactive , service-principal-secret , (starting with Juju 3.6) managed-identity . |
CONTROLLER | |
notes on bootstrap: | Starting with Juju 3.6, you can authenticate the controller with the cloud using managed identities. There are 3 possible workflows: (1) (recommended) (1a) Create the managed identity. (1b) Add a credential type (2) (2a) Create the managed identity yourself. (2b) Create a credential type (3) (3a) Create a credential type If you want your controller to be in the same resource group as the one used for the managed identity, during bootstrap also specify > See more: Appendix: How to create a managed identity. |
other (alphabetical order:) | |
CONSTRAINT | |
conflicting: | [instance-type] vs [arch, cores, mem] |
supported? | |
- allocate-public-ip |
![]() |
- arch |
![]() Valid values: amd64 . |
- container |
![]() |
- cores |
![]() |
- cpu-power |
![]() |
- image-id |
![]() |
- instance-role |
Starting with Juju 3.6: ![]() Valid values: - If the managed identity is created in a resource group on the same subscription: - If the managed identity is created in a resource group on a different subscription: - If the managed identity is created in a resource group and that resource group is used to host the controller model: > See more: Appendix: Example managed identity workflows. |
- instance-type |
![]() Valid values: See cloud provider. |
- mem |
![]() |
- root-disk |
![]() |
- root-disk-source |
![]() Represents the juju storage pool for the root disk. By specifying a storage pool, the root disk can be configured to use encryption. |
- spaces |
![]() |
- tags |
![]() |
- virt-type |
![]() |
- zones |
![]() |
PLACEMENT DIRECTIVE | |
<machine> |
TBA |
subnet=... |
![]() |
system-id=... |
![]() |
zone=... |
TBA |
MACHINE | |
RESOURCE (cloud) Consistent naming, tagging, and the ability to add user-controlled tags to created instances. |
![]() |
Appendix: How to create a managed identity
This is just an example. For more information please see the upstream cloud documentation. See more: Microsoft Azure | Managed identities.
To create a managed identity for Juju to use, you will need to use the Azure CLI and be logged in to your account. This is a set up step that can be done ahead of time by an administrator.
The 4 values below need to be filled in according to your requirements.
$ export group=someresourcegroup
$ export location=someregion
$ export role=myrolename
$ export identityname=myidentity
$ export subscription=mysubscription_id
The role definition and role assignment can be scoped to either the subscription or a particular resource group. If scoped to a resource group, this group needs to be provided to Juju when bootstrapping so that the controller resources are also created in that group.
For a subscription scoped managed identity:
$ az group create --name "${group}" --location "${location}"
$ az identity create --resource-group "${group}" --name "${identityname}"
$ mid=$(az identity show --resource-group "${group}" --name "${identityname}" --query principalId --output tsv)
$ az role definition create --role-definition "{
\"Name\": \"${role}\",
\"Description\": \"Role definition for a Juju controller\",
\"Actions\": [
\"Microsoft.Compute/*\",
\"Microsoft.KeyVault/*\",
\"Microsoft.Network/*\",
\"Microsoft.Resources/*\",
\"Microsoft.Storage/*\",
\"Microsoft.ManagedIdentity/userAssignedIdentities/*\"
],
\"AssignableScopes\": [
\"/subscriptions/${subscription}\"
]
}"
$ az role assignment create --assignee-object-id "${mid}" --assignee-principal-type "ServicePrincipal" --role "${role}" --scope "/subscriptions/${subscription}"
A resource scoped managed identity is similar except:
- the role definition assignable scopes becomes
\"AssignableScopes\": [
\"/subscriptions/${subscription}/resourcegroups/${group}\"
]
- the role assignment scope becomes
--scope "/subscriptions/${subscription}/resourcegroups/${group}"
Contributors: @kylerhornor , @tmihoc, @wallyworld