Skip to main content

How to Create the Azure Ad App Registration (CSP Tenant Profile) for Codiac Relay

To use Codiac with Azure, you need to set up the app registration (CSP Tenant Profile) for Codiac Relay.

Suggested Reading:

Step 1: Create App Registration

  1. Log into your Azure Portal.
  2. Open Azure AD.
  3. Click on App Registrations.
  4. Click Add new.
  5. Create an App Registration called Codiac Relay.
  • Choose the default (Single Tenant) for Supported Account Types.
  1. After it is created, drill down into its overview blade.
  2. Click Authentication in the left column. i. Click Platform Configurations > Add a platform. a. Choose Mobile and Desktop. b. Add the following Custom Redirect URL: http://localhost:5799/csp/azure/login/auth-code-catcher c. Click Configure. ii. Make sure the following redirect URL exists under Mobile and Desktop Applications: http://localhost:5799/csp/azure/login/auth-code-catcher
  3. Set Account Types to Single Tenant if it's not already the default.
  4. Enable Public Client Flows.
  5. Click Save.

Step 2: Add API Permissions

  1. Click "API Permissions" in the left column.
  2. Click Add a Permission.
  3. Click the APIs my organization uses tab.
  4. Search for "Azure Key Vault".
  5. Add permissions for:
    • Azure Key Vault: User_impersonation
    • Azure Service Management: User_impersonation
    • Microsoft Graph: Email, Openid, Profile, and User.Read
  6. IMPORTANT!! Click Grant Admin Consent for all these permissions.

Step 3: Add a Client Secret

  1. Click Certificates & Secrets in the left column.
  2. Click New client secret.
  3. Capture the secret and place it into a keyvault.
info

This is for future use in calling the Codiac CLI from pipelines using the ClientCredential auth flow.

Step 4: Update Subscriptions

For each subscription:

  1. Open the Access Control (IAM) blade.
  2. Add the Azure Kubernetes Service Cluster Admin role to the Codiac Relay principal.

Step 5: Update ACRs

For each ACR:

  1. Add these role assignments to the Codiac Relay principal:
  • Reader
  • AcrDelete
  • AcrPull
  • AcrPush

Step 6: Update KeyVaults

For each KeyVault:

  1. Add the Key Vault Contributor role assignments to the Codiac Relay principal.
tip

If you are not comfortable with this role assignment, you can currently just use Key Vault Reader. At this time, Codiac only reads from KeyVault. No write permissions are required.