AuditingPDF version

Creating a Cloudera credential for audit archiving on Azure using the CLI

After you create (or designate) a storage account and container in Azure, you need to create a Cloudera credential for audit archiving on Azure.

Before proceeding with this task, open the Azure shell in the Azure Portal.

Required Role: PowerUser

  1. Use the provided command in an Azure shell to identify your subscription ID and tenant ID:
    az account list|jq '.[]|{"name": .name, "subscriptionId": .id, "tenantId": .tenantId, "state": .state}'

    Take note of the subscription ID (the subscription used to create the storage account that you designated for auditing) and the tenant ID for later use.

  2. Use the provided command in an Azure shell to create a new service principal in Azure. Substitute your service principal name (whatever you chose to give it, for example the container name), subscription ID, resource group name, storage account name, and container name where indicated:
    az ad sp create-for-rbac \    --name http://{app-name} \    --role "Storage Blob Data Contributor" \    --scopes /subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}/blobServices/default/containers/{container-name}

    Save the App ID and password from the command output to use in the credential creation command.

  3. In the CDP CLI, use the following command to create the Cloudera credential: 
    cdp environments set-azure-audit-credential --profile <profile-name> --subscription-id <subscription-id> --tenant-id <tenant-id> --app-based applicationId=<application-id>,secretKey=<password>

    The value of the secretKey parameter is the password returned in the output of the previous command that you ran to create the Azure service principal.

    Running this command creates the Cloudera credential for audit archiving on Azure. Take note of the crn returned in the command output, as you will need it to configure archiving in the next task.
After you create the credential for auditing, proceed to the next task: Configuring audit archiving for Azure using the CLI.