On Thursday, 30 June 2016 20:03:00 UTC+3, Matt Davis wrote: > > Have you read and followed > http://docs.ansible.com/ansible/guide_azure.html about creating the > service principals in AD? >
Yes and no. I do not have access to classic portal, it is denied by our enterprise policy. Authenticating with service principals require access to classic portal. So I need to get the AD authentication to work. I currently have "contributor" privileges in azure, might that be the case that I don't have required permissions? Service principal credentials shouldn't be required according to the documentation from https://docs.ansible.com/ansible/azure_rm_virtualmachine_module.html: Note > Alternatively, credentials can be stored in ~/.azure/credentials. This is > an ini file containing a [default] section and the following keys: > subscription_id, client_id, secret and tenant or subscription_id, ad_user > and password. It is also possible to add additional profiles. Specify the > profile by passing profile or setting AZURE_PROFILE in the environment. I've done some test to verify that previously mentioned has some issues. 1) Passing credentials as parameters doesn't work: $ cat test.yml - hosts: localhost tasks: - name: Create VM with defaults azure_rm_virtualmachine: resource_group: Testing name: testvm10 ad_user: '[email protected]' password: 'password' subscription_id: 'test-sub' admin_username: root admin_password: pass image: offer: CentOS publisher: OpenLogic sku: '7.1' version: latest $ ansible-playbook test.yml [WARNING]: provided hosts list is empty, only localhost is available PLAY [localhost] *************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [Create VM with defaults] ************************************************* fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to get credentials. Either pass as parameters, set environment variables, or define a profile in ~/.azure/credentials."} NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @test.retry PLAY RECAP ********************************************************************* localhost : ok=1 changed=0 unreachable=0 failed=1 2) Providing env variables doesn't work: $ cat test.env AZURE_AD_USER='[email protected]' AZURE_PASSWORD='password' AZURE_SUBSCRIPTION_ID='test-sub' source test.env && ansible-playbook test.yml: $ ansible-playbook test.yml [WARNING]: provided hosts list is empty, only localhost is available PLAY [localhost] *************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [Create VM with defaults] ************************************************* fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to get credentials. Either pass as parameters, set environment variables, or define a profile in ~/.azure/credentials."} NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @test.retry PLAY RECAP ********************************************************************* localhost : ok=1 changed=0 unreachable=0 failed=1 3) credentials profile is working, but doesn't really. It seems that the module incorrectly excepts tenant id and fails when I have not provided it. cat ~/.azure/credentials [default] ad_user='[email protected]' password='password' subscription_id='sub-test' ansible-playbook test.yml t-m@ubuntubox:~/dev/mtg-rate-estimate-ui$ ansible-playbook test.yml [WARNING]: provided hosts list is empty, only localhost is available PLAY [localhost] *************************************************************** TASK [setup] ******************************************************************* ok: [localhost] TASK [Create VM with defaults] ************************************************* An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Timestamp: 2016-06-30 19:43:52Z fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_AhQ2Oz/ansible_module_azure_rm_virtualmachine.py\", line 1281, in <module>\n main()\n File \"/tmp/ansible_AhQ2Oz/ansible_module_azure_rm_virtualmachine.py\", line 1278, in main\n AzureRMVirtualMachine()\n File \"/tmp/ansible_AhQ2Oz/ansible_module_azure_rm_virtualmachine.py\", line 527, in __init__\n supports_check_mode=True)\n File \"/tmp/ansible_AhQ2Oz/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py\", line 164, in __init__\n File \"/home/t-m/.local/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 261, in __init__\n self.set_token()\n File \"/home/t-m/.local/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 296, in set_token\n raise_with_traceback(AuthenticationError, \"\", err)\n File \"/home/t-m/.local/lib/python2.7/site-packages/msrest/exceptions.py\", line 50, in raise_with_traceback\n raise error\nmsrest.exceptions.AuthenticationError: , InvalidClientIdError: (invalid_request) AADSTS90002: Requested tenant identifier '********.com'' is not valid.\r\nTrace ID: 3698ff8f-0117-4a0b-b4db-795d9d397d9e\r\nCorrelation ID: 46b00886-e1ed-43bd-9dfe-b1af1a59da45\r\nTimestamp: 2016-06-30 19:43:52Z\n", "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false} NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @test.retry PLAY RECAP ********************************************************************* localhost : ok=1 changed=0 unreachable=0 failed=1 execution environment: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 15.10 Release: 15.10 Codename: wily $ ansible --version ansible 2.1.1.0 (stable-2.1 a598f26006) last updated 2016/06/30 22:57:28 (GMT +300) lib/ansible/modules/core: (detached HEAD 1d0d5db97a) last updated 2016/06/ 30 21:14:15 (GMT +300) lib/ansible/modules/extras: (detached HEAD 00b8b96906) last updated 2016/ 06/30 21:14:19 (GMT +300) config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides $ pip list | grep azure azure (2.0.0rc2) azure-common (1.1.2) azure-graphrbac (0.30.0rc2) azure-mgmt (0.30.0rc2) azure-mgmt-authorization (0.30.0rc2) azure-mgmt-cdn (0.30.0rc2) azure-mgmt-compute (0.30.0rc2) azure-mgmt-logic (0.30.0rc2) azure-mgmt-network (0.30.0rc2) azure-mgmt-notificationhubs (0.30.0rc2) azure-mgmt-nspkg (1.0.0) azure-mgmt-redis (0.30.0rc2) azure-mgmt-resource (0.30.0rc2) azure-mgmt-scheduler (0.30.0rc2) azure-mgmt-storage (0.30.0rc2) azure-mgmt-web (0.30.0rc2) azure-nspkg (1.0.0) azure-servicebus (0.20.1) azure-servicemanagement-legacy (0.20.2) azure-storage (0.30.0) msrestazure (0.2.1) -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1f664ff2-43d6-44f8-b1aa-a06f931ef9ab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
