After you create (or designate) a storage account and container in Azure, you need to
create a Cloudera credential for audit archiving on Azure.
Before proceeding with this task, open the Azure shell in the
Azure Portal.Required Role:
PowerUser
-
Use the provided command in an Azure shell to identify your subscription ID and tenant
ID:
az account list|jq '.[]|{"name": .name, "subscriptionId": .id, "tenantId": .tenantId, "state": .state}'
Take note of the subscription ID (the subscription used to create the storage account
that you designated for auditing) and the tenant ID for later use.
- Use the provided command in an Azure shell to create a new service principal in
Azure. Substitute your service principal name (whatever you chose to give it, for example
the container name), subscription ID, resource group name, storage account name, and
container name where indicated:
az ad sp create-for-rbac \ --name http://{app-name} \ --role "Storage Blob Data Contributor" \ --scopes /subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}/blobServices/default/containers/{container-name}
Save the App ID and password from the command output to use in the credential creation
command.
-
In the CDP CLI, use the following command to create the Cloudera credential:
cdp environments set-azure-audit-credential --profile <profile-name> --subscription-id <subscription-id> --tenant-id <tenant-id> --app-based applicationId=<application-id>,secretKey=<password>
The value of the secretKey parameter is the password returned in
the output of the previous command that you ran to create the Azure service
principal.
Running this command creates the Cloudera
credential for audit archiving on Azure. Take note of the crn
returned in the command output, as you will need it to configure archiving in the next
task.
After you create the credential for auditing, proceed to the
next task: Configuring audit archiving for Azure using the CLI.
