Azure Credentials

This article will walk you - step by step - through the configuration of AWS credentials for Tuono. To enable Tuono on your Amazon AWS account.

Overview

To connect Tuono to your Azure account, you will create an Enterprise Application **registration, generate a Secret (password), and attach it to one of your Subscriptions**. By following the instructions below you will generate four identifiers needed to connect Tuono to your Azure account:

Identifier	Purpose
Client (Application)	This is also known as an Application ID. This is the identifier of the Tuono application within your Azure Active Directory. The application is a service principal, which is a fancy name for an account. In Azure, applications and users are treated similarly for access control purposes.
Secret	This is a password for the Tuono service to access the Tuono application within your Azure Active Directory.
Subscription	This is a unique identifier for a subscription in your Azure account. A subscription is a billable account. A set of credentials allows Tuono to access one subscription.
Tenant	This is a unique identifier for your Azure account

Additionally, you will need to select a credentialing style. Tuono can operate in three different modes for credentialing. You will need to choose the method you want to use, as that affects the remaining configuration steps.

We recommend that you use either static or short-term credentialing on Azure.

Credentialing Mode	Description
Static	You provide Tuono with a Contributor role in a subscription. Tuono uses the secret you generated above to access your Azure Subscriptions. You manage the validity of the secret using the Azure Portal. All changes made to the subscription are attributed to the Tuono application.
Dynamic	You provide Tuono with an Owner role in a subscription and additional permissions in Azure Active Directory. This allows Tuono to dynamically create time-limited credentials for each job that provisions infrastructure. All changes made to the subscription are attributed to the Tuono application. NOTE: Dynamic credentials require administrative consent to configure, as they require permissions in Azure Active Directory to create temporary service principals (accounts), one per job. Dynamic credentialing can add up to 3 minutes to each provisioning job.
Short-Term	You assign a Contributor role to one or more users in a subscription, and grant those users access to the Tuono application. Instead of using a secret, these users authenticate directly with Microsoft as needed (when adding credentials or using apply/destroy on an environment). All changes made to the subscription are attributed to the User.

Credential Configuration Steps

• GUI Configuration

• CLI Configuration