Skip to main content
Setup and administration

Manage Azure credentials and marketplace subscriptions for BlueXP

Contributors netapp-bcammett

Add and manage Azure credentials so that BlueXP has the permissions that it needs to deploy and manage cloud resources in your Azure subscriptions. If you manage multiple Azure Marketplace subscriptions, you can assign each one of them to different Azure credentials from the Credentials page.

Follow the steps on this page if you need to use multiple Azure credentials or multiple Azure Marketplace subscriptions for Cloud Volumes ONTAP.

Overview

There are two ways to add additional Azure subscriptions and credentials in BlueXP.

  1. Associate additional Azure subscriptions with the Azure managed identity.

  2. If you want to deploy Cloud Volumes ONTAP using different Azure credentials, grant Azure permissions using a service principal and add its credentials to BlueXP.

Associate additional Azure subscriptions with a managed identity

BlueXP enables you to choose the Azure credentials and Azure subscription in which you want to deploy Cloud Volumes ONTAP. You can't select a different Azure subscription for the managed identity profile unless you associate the managed identity with those subscriptions.

About this task

A managed identity is the initial Azure account when you deploy a Connector from BlueXP. When you deployed the Connector, BlueXP created the BlueXP Operator role and assigned it to the Connector virtual machine.

Steps
  1. Log in to the Azure portal.

  2. Open the Subscriptions service and then select the subscription in which you want to deploy Cloud Volumes ONTAP.

  3. Select Access control (IAM).

    1. Select Add > Add role assignment and then add the permissions:

      • Select the BlueXP Operator role.

        Note BlueXP Operator is the default name provided in the Connector policy. If you chose a different name for the role, then select that name instead.
      • Assign access to a Virtual Machine.

      • Select the subscription in which the Connector virtual machine was created.

      • Select the Connector virtual machine.

      • Select Save.

  4. Repeat these steps for additional subscriptions.

Result

When you create a new working environment, you should now have the ability to select from multiple Azure subscriptions for the managed identity profile.

A screenshot that shows the ability to select multiple Azure subscriptions when selecting a Microsoft Azure Provider Account.

Add additional Azure credentials to BlueXP

When you deploy a Connector from BlueXP, BlueXP enables a system-assigned managed identity on the virtual machine that has the required permissions. BlueXP selects these Azure credentials by default when you create a new working environment for Cloud Volumes ONTAP.

Tip An initial set of credentials isn't added if you manually installed the Connector software on an existing system. Learn about Azure credentials and permissions.

If you want to deploy Cloud Volumes ONTAP using different Azure credentials, then you must grant the required permissions by creating and setting up a service principal in Microsoft Entra ID for each Azure account. You can then add the new credentials to BlueXP.

Grant Azure permissions using a service principal

BlueXP needs permissions to perform actions in Azure. You can grant the required permissions to an Azure account by creating and setting up a service principal in Microsoft Entra ID and by obtaining the Azure credentials that BlueXP needs.

About this task

The following image depicts how BlueXP obtains permissions to perform operations in Azure. A service principal object, which is tied to one or more Azure subscriptions, represents BlueXP in Microsoft Entra ID and is assigned to a custom role that allows the required permissions.

Conceptual image that shows BlueXP obtaining authentication and authorization from Microsoft Entra ID before it can make an API call. In Active Directory, the BlueXP role defines permissions. It is tied to one or more Azure subscriptions and a service principal object that represents the Cloud Manger application.

Create a Microsoft Entra application

Create a Microsoft Entra application and service principal that BlueXP can use for role-based access control.

Steps
  1. Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.

  2. From the Azure portal, open the Microsoft Entra ID service.

    Shows the Active Directory service in Microsoft Azure.

  3. In the menu, select App registrations.

  4. Select New registration.

  5. Specify details about the application:

    • Name: Enter a name for the application.

    • Account type: Select an account type (any will work with BlueXP).

    • Redirect URI: You can leave this field blank.

  6. Select Register.

    You've created the AD application and service principal.

Result

You've created the AD application and service principal.

Assign the application to a role

You must bind the service principal to one or more Azure subscriptions and assign it the custom "BlueXP Operator" role so BlueXP has permissions in Azure.

Steps
  1. Create a custom role:

    Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

    1. Copy the contents of the custom role permissions for the Connector and save them in a JSON file.

    2. Modify the JSON file by adding Azure subscription IDs to the assignable scope.

      You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.

      Example

      "AssignableScopes": [
      "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
      "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz",
      "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
    3. Use the JSON file to create a custom role in Azure.

      The following steps describe how to create the role by using Bash in Azure Cloud Shell.

      • Start Azure Cloud Shell and choose the Bash environment.

      • Upload the JSON file.

        A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

      • Use the Azure CLI to create the custom role:

        az role definition create --role-definition Connector_Policy.json

        You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.

  2. Assign the application to the role:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Select Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the BlueXP Operator role and select Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Select Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here's an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and select Select.

      • Select Next.

    6. Select Review + assign.

      The service principal now has the required Azure permissions to deploy the Connector.

      If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. BlueXP enables you to select the subscription that you want to use when deploying Cloud Volumes ONTAP.

Add Windows Azure Service Management API permissions

The service principal must have "Windows Azure Service Management API" permissions.

Steps
  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Select API permissions > Add a permission.

  3. Under Microsoft APIs, select Azure Service Management.

    A screenshot of the Azure portal that shows the Azure Service Management API permissions.

  4. Select Access Azure Service Management as organization users and then select Add permissions.

    A screenshot of the Azure portal that shows adding the Azure Service Management APIs.

Get the application ID and directory ID

When you add the Azure account to BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

Steps
  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Microsoft Entra IDy.

    When you add the Azure account to BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

Create a client secret

You need to create a client secret and then provide BlueXP with the value of the secret so BlueXP can use it to authenticate with Microsoft Entra ID.

Steps
  1. Open the Microsoft Entra ID service.

  2. Select App registrations and select your application.

  3. Select Certificates & secrets > New client secret.

  4. Provide a description of the secret and a duration.

  5. Select Add.

  6. Copy the value of the client secret.

    A screenshot of the Azure portal that shows a client secret for the Microsoft Entra service principal.

    You now have a client secret that BlueXP can use it to authenticate with Microsoft Entra ID.

Result

Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in BlueXP when you add an Azure account.

Add the credentials to BlueXP

After you provide an Azure account with the required permissions, you can add the credentials for that account to BlueXP. Completing this step enables you to launch Cloud Volumes ONTAP using different Azure credentials.

Before you begin

If you just created these credentials in your cloud provider, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.

Before you begin

You need to create a Connector before you can change BlueXP settings. Learn how to create a Connector.

Steps
  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > Connector.

    2. Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:

      • Application (client) ID

      • Directory (tenant) ID

      • Client Secret

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

You can now switch to different set of credentials from the Details and Credentials page when creating a new working environment

A screenshot that shows selecting between credentials after selecting Edit Credentials in the Details & Credentials page.

Manage existing credentials

Manage the Azure credentials that you've already added to BlueXP by associating a Marketplace subscription, editing credentials, and deleting them.

Associate an Azure Marketplace subscription to credentials

After you add your Azure credentials to BlueXP, you can associate an Azure Marketplace subscription to those credentials. The subscription enables you to create a pay-as-you-go Cloud Volumes ONTAP system, and to use other BlueXP services.

There are two scenarios in which you might associate an Azure Marketplace subscription after you've already added the credentials to BlueXP:

  • You didn't associate a subscription when you initially added the credentials to BlueXP.

  • You want to change the Azure Marketplace subscription that is associated with Azure credentials.

    Replacing the current marketplace subscription with a new subscription changes the marketplace subscription for any existing Cloud Volumes ONTAP working environments and all new working environments.

Before you begin

You need to create a Connector before you can change BlueXP settings. Learn how.

Steps
  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

  2. Select the action menu for a set of credentials and then select Associate Subscription.

    You must select credentials that are associated with a Connector. You can't associate a marketplace subscription with credentials that are associated with BlueXP.

    A screenshot of the action menu for a set of existing credentials.

  3. To associate the credentials with an existing subscription, select the subscription from the down-down list and select Associate.

  4. To associate the credentials with a new subscription, select Add Subscription > Continue and follow the steps in the Azure Marketplace:

    1. If prompted, log in to your Azure account.

    2. Select Subscribe.

    3. Fill out the form and select Subscribe.

    4. After the subscription process is complete, select Configure account now.

      You'll be redirected to the BlueXP website.

    5. From the Subscription Assignment page:

      • Select the BlueXP accounts that you'd like to associate this subscription with.

      • In the Replace existing subscription field, choose whether you'd like to automatically replace the existing subscription for one account with this new subscription.

        BlueXP replaces the existing subscription for all credentials in the account with this new subscription. If a set of credentials wasn't ever associated with a subscription, then this new subscription won't be associated with those credentials.

        For all other accounts, you'll need to manually associate the subscription by repeating these steps.

      • Select Save.

        The following video shows the steps to subscribe from the Azure Marketplace:

        Subscribe to BlueXP from the Azure Marketplace

Edit credentials

Edit your Azure credentials in BlueXP by modifying the details about your Azure service credentials. For example, you might need to update the client secret if a new secret was created for the service principal application.

Steps
  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

  2. On the Account credentials page, select the action menu for a set of credentials and then select Edit Credentials.

  3. Make the required changes and then select Apply.

Delete credentials

If you no longer need a set of credentials, you can delete them from BlueXP. You can only delete credentials that aren't associated with a working environment.

Steps
  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

  2. On the Account credentials page, select the action menu for a set of credentials and then select Delete Credentials.

  3. Select Delete to confirm.