Skip to main content

Use Azure static credentials

This article covers granting Wayfinder access to an Azure Subscription (target subscription) and you're using static credentials (Azure AD Client Secret) for authentication. Wayfinder is installed in either AWS, Azure or GCP (home installation).

Jump to the Quick Start section for steps on how to create a new Azure Cloud Access.


CLI Quick Reference

InstructionCLI Command
Create a workspace
(only if Access Type is Kubernetes Cluster Provisioning)
wf create workspace WORKSPACE-KEY -s SUMMARY
Create a stage
(only if Access Type is Kubernetes Cluster Provisioning)
wf create stage STAGE-NAME -d DESCRIPTION
View Cloud Access Configurationswf get cloudaccessconfig -c CLOUD -w WORKSPACE-KEY
Output the Cloud Access Configuration to consolewf get cloudaccessconfig CONFIG-NAME -o yaml
Output the Cloud Access Configuration to filewf get cloudaccessconfig CONFIG-NAME > ./PATH/TO/FILE.yaml
Apply the Cloud Access Configuration from filewf apply cloudaccessconfig -f ./PATH/TO/FILE.yaml
View Cloud Permissionswf get cloudpermissions
View the Permissions of the specified Cloud Permissionwf describe cloudpermissions PERMISSION-NAME -c CLOUD -o JSON
View input values for Wayfinder's terraform modulewf describe cloudaccess --cloud-identity CLOUDIDENTITY-NAME --to-cloud TARGET-CLOUD --for-type ACCESS-TYPE --for-stage STAGE-NAME --for-workspace WORKSPACE-KEY -o tfvars
View cloud identitieswf get cloudidentities
Output the details of the cloud identity to consolewf get cloudidentities NAME-OF-IDENTITY -o yaml
Create a cloud identity for Wayfinder's workload identity
(You only have to do this once)
wf create cloudidentity CLOUDIDENTITY-NAME --for-workload-identity
[ADVANCED USERS]
Create a Cloud Access Configuration
wf create cloudaccessconfig [flags]

Considerations

For each subscription that you want to connect, you need to:

  1. Decide what type of cloud access you need.
  2. Decide the scope of the cloud subscription (workspace and stage).
    Note that some access types are designated as 'administrative' for configurations that are outside the scope of any particular workspace or stage and are intended for Wayfinder administrators.
  3. Decide what type of authentication method you want to use. This article outlines using static credentials (Azure AD Client Secret).
  4. Give Wayfinder cloud permissions to access cloud resources and perform relevant tasks.

Quick Start: Add a new Azure Cloud Access

CLI Steps

The easiest way to create a new Azure cloud access configuration is to edit an existing one.

  1. Copy one of the cloud access configuration (yaml) examples or output the yaml of an existing Cloud Access Configuration to file.
  2. Review the permissions that Wayfinder needs.
  3. Use Wayfinder's terraform module to configure the target subscription (or do the configuration manually).
  4. Apply the yaml of the Cloud Access Configuration that you've edited.

Wayfinder's Web Interface Steps

  1. Select Admin, then navigate to Cloud > Access.
  2. Select Microsoft Azure.
  3. Click the Add Azure cloud access button
  4. You are presented with the Add Azure cloud access page. There are four main sections to complete.

1. Details Section Steps

  1. Enter the Details for the new cloud access.
  2. Enter the Azure Subscription ID for the Azure subscription that you want to give Wayfinder access to.
  3. Select the Access Type that this cloud access connection is for e.g., Kubernetes Cluster Provisioning
Example
Details Section

2. Scope Section Steps

  1. Select a workspace from the drop-down list or create a new workspace.
  2. Select a stage from the drop-down list or create a new stage.
note

The Access Type determines if the Scope section is editable or skipped. If skipped then the Scope is designated as 'Platform'.

Example
Scope Section

3. Authentication Section Steps

  1. Select Azure AD client secret as the Authentication Method.
  2. Select an Identity from the drop-down list. You can create a new identity if the drop-down list is empty or if they do not suffice.
Example
Auth Section

Create a new identity

  1. You need to manually create an Azure AD Client Secret in Azure. After you've created this user, return to Wayfinder's web interface and follow the steps below.
  2. In Wayfinder's Web Interface:
  • Select the +Identity button. A new modal opens.
  • Fill in the details of the Azure AD Client Secret that you created in Azure. See the Authentication section for a description of each field.
  • Click on the Validate button so that Wayfinder can verify that it can access the Azure cloud subscription using that identity.
  • You will not be able to proceed until all the validation passed.

Example
Auth Section - New ID

If the details are valid, then you'll be able to proceed to the Permissions section.

Auth Section - New ID - Valid

4. Permission Section Steps

note

You need to either run Wayfinder's terraform module to set up the needed cloud configuration in the target subscription or manually do the configuration. The right-hand panel will provide the needed input values for Wayfinder's terraform module.


  1. Select the ClusterManager's Validate Permissions button.
  2. Click the Validate button. You need to resolve any error messages before you can continue.
  3. Repeat the steps above for DNSZoneManager and NetworkManager (if applicable for your Access Type).
Example
Permissions Section

Fix any errors by either running Wayfinder's terraform module or update the permissions manually.


Permissions Section - Invalid Permissions

You will be able to proceed once the permissions are validated successfully.

Permissions Section - Valid Permissions

All permissions must be validated successfully before you can proceed to the Summary section.

Permissions Section - All Valid Permissions

5. Summary Section Steps

  1. Verify that all the details are correct.
note

You will not be able to apply the configuration if any of the validations failed.

Example
Summary Section

6. YAML Section Steps

  1. Press the Apply button to apply the configuration.
  2. Alternatively, download the YAML and apply it using Wayfinder's CLI or your CI pipeline.

Azure Cloud Access Properties

The following sections outline the properties that you'll need to connect your subscription to Wayfinder. CLI users can refer to the information in this section to understand how the settings from Wayfinder's web interface correlate with the respective YAML files.

Refer to the previous section for the quick start steps on how to add a new Azure Cloud Access.


Details Section Properties

This section specifies the general properties and access type for the Azure Subscription you're adding.

FieldDescription
NameThe name of this cloud connection
DescriptionA meaningful description for this cloud connection
Azure Subscription IDSpecify the Azure Subscription ID that you're connecting to.
Access TypeThe type of automation Wayfinder should provide.
Option(s):
  • Kubernetes Cluster Provisioning: Used for creating, updating and managing Kubernetes, cluster networking and workspace scoped DNS records for applications.
  • DNS Provisioning: Used for managing a top-level domain, so that Wayfinder can create sub domains within it that are delegated to workspace clusters.
  • Peering: Used for peering automation. Wayfinder can accept peering requests enabling connectivity between Wayfinder provisioned Kubernetes clusters and any external VPC network.
  • Cost Estimate: Used for cost data retrieval in order to provide infrastructure cost estimates.
note

Each cloud account you connect is for the purpose of one of the 'Cloud Access Type' and each will have a different scope.


Scope Section Properties

When you've selected the Access Type as 'Kubernetes Cluster Provisioning', you need to set the scope to control where you want to provide the access to. This section is not visible for other Access Types.

What is the difference between a workspace and a stage?
  • A workspace is where teams provision and manage applications, environments, clusters, and cloud resources.
  • A stage is used to isolate and test resources at the infrastructure level such as production or development.
What is 'platform' scope?

Access types that are designated as 'platform' are for configurations that are outside the scope of any particular workspace or stage and are intended for the use by Wayfinder administrators.


Access TypeDescriptionScope
Kubernetes Cluster ProvisioningUsed for creating, updating and managing Kubernetes, cluster networking and workspace scoped DNS records for applications.Workspace and Stage
DNS ProvisioningUsed for managing a top-level domain, so that Wayfinder can create sub domains within it that are delegated to workspace clusters.Platform
PeeringUsed for peering automation. Wayfinder can accept peering requests enabling connectivity between Wayfinder provisioned Kubernetes clusters and any external VPC network.Platform
Cost EstimatesUsed for cost data retrieval in order to provide infrastructure cost estimates.Platform
Private Links (Azure only)Used when Wayfinder is installed in Azure, and you need to grant it access to a private cluster within a private virtual network (VNet)Platform

Create a new workspace

You can create a new workspace if the existing ones don't meet your needs.

FieldDescription
Select workspaceThe workspace that can use this cloud account.
-- New workspace (button)Creates a new workspace.
--- NameThe name for the new workspace.
--- DescriptionMeaningful description for this workspace.
--- KeyUnique 3-5 character identifier for the new workspace.

CLI Examples

Create a workspace

FORMAT: wf create workspace WORKSPACE-KEY -s SUMMARY

EXAMPLE:

wf create workspace sand -s "My sandbox workspace" 
◉ Waiting for resource "org.appvia.io/v2beta1/workspace/sand" to provision (background with ctrl-c)
✔ Successfully provisioned the resource: "sand"

Create a new stage

You can create a new stage if the existing ones don't meet your needs.

FieldDescription
Select stageThe stage that can use this cloud account.
-- New stage (button)Creates a new stage.
--- NameThe name for the new stage.
--- DescriptionMeaningful description for this stage.

CLI Examples

Create a stage

FORMAT: wf create stage STAGE-NAME -d DESCRIPTION

EXAMPLE:

~ wf create stage nonprod -d "non production stage"
✔ Successfully requested the resource "org.appvia.io/v2beta1/stage/nonprod"
✔ Successfully created the stage

Authentication Section Properties

This section specifies the properties to authenticate your Wayfinder instance with your cloud account.

FieldDescription
Authentication methodThe method in which Wayfinder will authenticate itself to the account.

Option(s):
- Using static credentials
-- Azure AD Client Secret
--- This method uses static credentials. You can choose an identity from the drop-down list or create a new identity.

Authenticating without credentials
-- For more information see 'Using Wayfinder's credentials'.
IdentityThis option is only available when you use credential-based authentication
Choose a role-based or user-based identity from the drop-down list
- New identity (button)Creates a new role-based or user-based identity (when existing identities doesn't meet your needs)
-- NameName of the new identity
-- CloudThe cloud in which the identity will be created (read-only value).
Value(s):
- Azure
--- TypeThe type of identity to create.
Option(s):
- Azure AD client secret (Read-only value)
--- Tenant IDSpecify the value for the Tenant ID for the new identity
--- Client IDSpecify the value for the Client ID for the new identity
--- Client SecretSpecify the value for the Client Secret

CLI Examples

Use wf create cloudidentity CLOUDIDENTITY-NAME with the --azure-client-id CLIENT-ID --azure-tenant-id TENANT-ID --secret-file SECRET-FILE-NAME -c CLOUD flags to create the cloud identity.

wf create cloudidentity wf-azure-static --azure-client-id  90123456-efgh-7890-abcd-1234efgh5678 --azure-tenant-id 87654321-abcd-458d-aa01-0123abcd1234 --secret-file cred-wf-azure-static -c azure

Permissions Section Properties

This section specifies the properties that grants the necessary permissions to Wayfinder. These permissions allow Wayfinder to create, manage and update cloud resources in the cloud subscription you specified in the previous section.


FieldDescription
Cluster managerPermissions that create and manage Kubernetes clusters.
- Necessary PermissionsJSON outlining the needed permissions for Cluster Manager. Use Wayfinder's terraform module to assign permissions or create it manually.
- Validate (button)Verification that the needed permissions were assigned correctly.
DNS managementPermissions that create and manage DNS records.
-- PermissionsJSON outlining the needed permissions to manage the DNS records on a sub domain of your global DNS entry. Use Wayfinder's terraform module to assign permissions or create it manually.
-- Validate (button)Verification that the needed permissions were assigned correctly.
Network managementPermissions that create and manage AKS clusters.
-- PermissionsJSON outlining the needed permissions. Use Wayfinder's terraform module to assign permissions or create it manually.
-- Validate (button)Verification that the needed permissions were assigned correctly.

Summary Section Properties

Wayfinder provides you with a summary of the configuration details you've entered.

Important

You will not be able to apply the configuration if any of the validations failed.


YAML Section Properties

You will be presented with the manifest (yaml) files for the configuration details you entered.

You have the option to apply the configuration immediately by clicking the Apply button, or to download the YAML so that you can apply it later using Wayfinder's CLI or your CI system.

The following YAML files are produced:

Workspace

Only shown when you create a new workspace.

apiVersion: org.appvia.io/v2beta1
kind: Workspace
metadata:
name: sand
spec:
description: sandbox
key: sand
summary: sandbox for dev
resourceNamespace: ''

Stage

Only shown when you create a new stage.

apiVersion: org.appvia.io/v2beta1
kind: Stage
metadata:
name: nonprod
spec:
displayName: nonprod
description: non production stage for dev

Cloud Identity

Only shown when you create a new Azure AD Client Secret. Wayfinder's web interface will redact the secret values. When you click the Apply button Wayfinder will create a Kubernetes secret. If you are applying this manually, then you need to create the Kubernetes secret yourself.

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudIdentity <-- Note the kind
metadata:
name: wf-azure-static
namespace: ws-admin
spec:
cloud: azure
type: AzureADClientSecret <-- Note the type
azure:
tenantID: 87654321-abcd-458d-aa01-0123abcd1234 <-- The Azure Tenant ID that you're connecting to
clientID: 90123456-efgh-7890-abcd-1234efgh5678 <-- The Azure Client ID that you're connecting to
credentialsInputData:
client_secret: redacted


YAML with Kubernetes secret.

spec:
cloud: azure
type: AzureADClientSecret <-- Note the type
azure:
tenantID: 87654321-abcd-458d-aa01-0123abcd1234 <-- The Azure Tenant ID that you're connecting to
clientID: 90123456-efgh-7890-abcd-1234efgh5678 <-- The Azure Client ID that you're connecting to
credentialsUpdated: "2023-10-26T16:24:28Z"
secretRef:
name: cred-wf-azure-static
namespace: ws-sand

Cloud Access Configuration

The type of manifest depends on the Access Type you've selected.

apiVersion: cloudaccess.appvia.io/v2beta2
kind: CloudAccessConfig <-- Note the kind
metadata:
name: azure-test1-static
namespace: ws-sand
spec:
cloudIdentityRef:
cloud: azure <-- Cloud Wayfinder is connecting from
name: wf-azure-static <-- Identity Wayfinder is connecting with
azure:
subscription: 12345678-abcd-458d-aa01-0123abcd1234 <-- The Azure Subscription ID that you're connecting to
tenantID: 87654321-abcd-458d-aa01-0123abcd1234 <-- The Azure Tenant ID that you're connecting to
type: Provisioning <-- Note the type
permissions:
- permission: ClusterManager
- permission: NetworkManager
- permission: DNSZoneManager
stage: nonprod

View Cloud Access Configurations

Use the wf get cloudaccessconfig CLI command to view a list of cloud access configurations. Use the --cloud flag to limit the results to the specified cloud provider and the -w flag to specify the workspace.


wf get cloudaccessconfig --cloud azure -w sand
NAME PROVIDER STATUS IDENTIFIER AGE
azure-test1-static azure Success Unknown 9m47s
azure-nonprod azure Success Unknown 19d
azure-prod azure Success Unknown 19d

Use the -o yaml flag to output the cloud access configuration details to the console.

wf get cloudaccessconfig azure-dev1 -o yaml

Using Wayfinder's web interface:

  • Select Admin, then navigate to Cloud > Access
  • Select your cloud provider, for example Microsoft Azure
  • The Cloud Access lists all the Cloud Access configurations for the selected cloud provider

Azure Overview

Create a Cloud Access Configuration using CLI

[ADVANCED USERS]

Use the wf create cloudaccessconfig command to create a cloud access configuration using the CLI. Follow the CLI prompts or use the --help flag for a full list of options. You need to configure the target subscription manually or use Wayfinder's terraform module.

If you need more guidance then see the quick start section.


Edit & Apply Cloud Access Configurations

Output the cloud access configuration to file using the wf get cloudaccessconfigNAME-OF-CONFIG command with the > FILENAME.yaml postfix.

wf get cloudaccessconfig azure-dev1 > ./manifests/azuredev1.yaml

Update the file as needed and use wf apply command with the -f PATH-TO-FILE.yaml flag to apply the changes.

wf apply cloudaccessconfig -f ./manifests/clouddev1.yaml

Using Wayfinder's web interface:

  • Select Admin, then navigate to Cloud > Access
  • Select your cloud provider, for example Microsoft Azure
  • The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
  • Click on the name of the Cloud Access to open the form in Edit mode.
  • Update as needed.
note

You will not be able to change the values of the fields below. If they need changing then you need to create a new cloud access configuration.

  • Name
  • Subscription ID
  • Access Type
note

All validations need to pass before you can re-apply the configuration.


View Permissions

These are the permissions that Wayfinder need in the target account to create and manage cloud resources.

Use the wf get cloudpermissions CLI command to view a list of available cloud permissions.

wf get cloudpermissions
NAME WAYFINDER FUNCTIONALITY SET DESCRIPTION
ClusterManager Provisioning Used for managing cluster provisioning inside the child account
DNSZoneManager Provisioning Used for managing application DNS records on a sub domain of the Global DNS entry
NetworkManager Provisioning Used for managing network permissions inside the child account
DNSZoneManager DNSZoneManagement Used to create sub domains for workspace clusters inside of the imported top-level domain
NetworkManager NetworkPeering Accepts peering requests in an external VPC network to provide end-to-end peering automation
CloudInfo CostsEstimates Used to retrieve cost data for infrastructure cost estimation

Use the wf describe cloudpermissions CLI command to view the JSON of the specified permission.

Also see the Permisisons Section section.


wf describe cloudpermission DNSZoneManager -c azure -o json
Permission: DNSZoneManager
Description: Used for managing application DNS records on a sub domain of the Global DNS entry
Permissions:
actions:
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleDefinitions/read
- Microsoft.Resources/subscriptions/providers/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/delete
- Microsoft.Network/dnszones/read
- Microsoft.Network/dnszones/write
- Microsoft.Network/dnszones/delete
- Microsoft.Network/dnszones/recordsets/read
- Microsoft.Network/dnszones/NS/read
- Microsoft.Network/dnszones/NS/write
- Microsoft.Network/dnszones/NS/delete
- Microsoft.Network/dnszones/TXT/read
- Microsoft.Network/dnszones/TXT/write
- Microsoft.Network/dnszones/TXT/delete


Using Wayfinder's web interface:

  • Select Admin, then navigate to Cloud > Access
  • Select your cloud provider, for example Microsoft Azure
  • The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
  • Click on the name of the Cloud Access to open the form in Edit mode.
  • Navigate to the Permissions section.
  • Click on the Configure button.
  • The JSON outlining the permissions are displayed. Also see the Permisisons Section section.

View Cloud Identity

Use the wf get cloudidentities CLI Command to view the cloud identities that you've created.

wf get cloudidentities
NAME STATUS VERIFIED AGE
azure-test1-static Success true 3m

Use the -o yaml flag to view the manifest details.

wf get cloudidentities azure-test1-static -o yaml

Using Wayfinder's web interface:

  • Select Admin, then navigate to Cloud > Access
  • Select your cloud provider, for example Microsoft Azure
  • The Cloud Access lists all the Cloud Access configurations for the selected cloud provider
  • Click on the Cloud Identities tab to view a list of cloud identities that you've created.