Install Azure connector on ACI using Azure CLI

The remainder of this guide focuses on installing and configuring the Azure Apono connector on ACI in your Azure environment using Azure CLI.

Before you begin

You must satisfy the Apono connector for Azure requirements to complete this tutorial.

Install the Azure CLI Command-line

Installation Steps

In The Terminal

Export the following environment variables.

export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export APONO_TOKEN=<APONO_TOKEN>
export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
export MANAGEMENT_GROUP_NAME=<AZURE_MANAGEMENT_GROUP_NAME>

az login

Export REGION environment variable.

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)

Run the following command to deploy the connector on your ACI.

export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.6.7 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

Add the User Access Administrator role to the connector in the subscription scope.

az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME

For Azure AD, add the Director Readers role to the connector.

az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

# First role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}'

# Second role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'

On the Connectors page, verify that the connector has been updated.

Export the following environment variables.

export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export APONO_TOKEN=<APONO_TOKEN>
export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>

az login

Export REGION environment variable.

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)

Run the following command to deploy the connector on your ACI.

export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.6.7 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

Add the User Access Administrator role to the connector in the subscription scope.

az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID

For Azure AD, add the Director Readers role to the connector.

az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

# First role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}'

# Second role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'

On the Connectors page, verify that the connector has been updated.

Next Steps

Create Integrate with Azure Management Group or Subscription

PreviousApono Connector for Azure NextInstall Azure connector on ACI using PowerShell

Last updated 2 days ago