Install an Azure connector on ACI using PowerShell
Learn how to deploy a connector in an Azure environment
Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using PowerShell.
Prerequisites
Apono Token
Account-specific Apono authentication value
Use the following steps to obtain your token:
On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation > Azure > Install and Connect Azure Account > CLI (Container Instance).
Copy the token listed on the page in step 1.
PowerShell
Tool that enables interacting with Azure services using your command-line shell
Azure Cloud Information
Information for your Azure Cloud instance:
Owner Role (Azure RBAC)
Azure role with the following permissions:
Grants full access to manage all resources
Assigns roles in Azure RBAC
Global Administrator
Microsoft Entra role with the following permission:
Manages all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities
❗Apono does not require Global Administrator access. This is required for the admin following this guide. ❗
Install a new connector
You can install a connector for an Azure Management Group or Subscription.
Follow these steps to install a new connector:
At the shell prompt, set the environment variables.
$env:APONO_CONNECTOR_ID = "<A_UNIQUE_CONNECTOR_NAME>"
$env:APONO_TOKEN = "<APONO_TOKEN>"
$env:SUBSCRIPTION_ID = "<AZURE_SUBSCRIPTION_ID>"
$env:RESOURCE_GROUP_NAME = "<AZURE_RESOURCE_GROUP_NAME>"
$env:MANAGEMENT_GROUP_NAME = "<AZURE_MANAGEMENT_GROUP_NAME>"
Log in to your Azure account.
Connect-AzAccount
Set the
REGION
environment variable.
$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
Run the following command to deploy the connector on your ACI.
$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP
$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID
$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN
$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"
$jsonValue = @{
cloud_provider = "AZURE"
subscription_id = $SUBSCRIPTION_ID
resource_group = $RESOURCE_GROUP_NAME
region = $REGION
is_azure_admin = $true
} | ConvertTo-Json -Compress
$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue
$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.7.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5
$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)
$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
Add the User Access Administrator role to the connector in the management group scope.
New-AzRoleAssignment -ObjectId $PRINCIPAL_ID `
-ObjectType "ServicePrincipal" `
-RoleDefinitionName "User Access Administrator" `
-Scope "/providers/Microsoft.Management/managementGroups/$env:MANAGEMENT_GROUP_NAME"
For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
$accessToken = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token
$payload = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
Invoke-RestMethod -Method POST -Uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments" -Headers $headers -Body $payload
On the Connectors page, verify that the connector has been updated.
You can now integrate with an Azure Management Group or Azure Subscription.
Last updated
Was this helpful?