Edit

Preview features of Azure Application Consistent Snapshot tool

  • Article

Note

PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY ref: https://azure.microsoft.com/support/legal/preview-supplemental-terms/

This article provides a guide on set up and usage of the new features in preview for AzAcSnap. This guide should be read along with the main documentation for AzAcSnap at aka.ms/azacsnap.

The preview features provided with AzAcSnap 7 are:

  • Azure NetApp Files Backup.
  • IBM Db2 Database.
  • Azure Managed Disk.
  • Azure Key Vault support for storing Service Principal.

Providing feedback

Feedback on AzAcSnap, including this preview, can be provided online.

Using AzAcSnap Preview features

AzAcSnap preview features are offered together with generally available features. Using the preview features requires the use of the --preview command line option to enable their usage. To setup and install AzAcSnap refer to Get started with Azure Application Consistent Snapshot tool

Return to this document for details on using the specific preview features.

Azure NetApp Files Backup

Note

Support for Azure NetApp Files Backup is a Preview feature.
This section's content supplements Configure Azure Application Consistent Snapshot tool website page.

When taking snapshots with AzAcSnap on multiple volumes all the snapshots have the same name by default. Due to the removal of the Volume name from the resource ID hierarchy when the snapshot is archived into Azure NetApp Files Backup it's necessary to ensure the Snapshot name is unique. AzAcSnap can do this automatically when it creates the Snapshot by appending the Volume name to the normal snapshot name. For example, for a system with two data volumes (hanadata01, hanadata02) when doing a -c backup with --prefix daily the complete snapshot names become daily__F2AFDF98703__hanadata01 and daily__F2AFDF98703__hanadata02.

This can be enabled in AzAcSnap by setting "anfBackup": "renameOnly" in the configuration file, see the following snippet:

"anfStorage": [
  {
    "anfBackup" : "renameOnly",
    "dataVolume": [

This can also be done using the azacsnap -c configure --configuration edit --configfile <configfilename> and when asked to Enter new value for 'ANF Backup (none, renameOnly)' (current = 'none'): enter renameOnly.

IBM Db2 Database

Supported platforms and operating systems

Note

Support for IBM Db2 is Preview feature.
This section's content supplements What is Azure Application Consistent Snapshot tool page.

New database platforms and operating systems supported with this preview release.

Enable communication with database

Note

Support for IBM Db2 is Preview feature.
This section's content supplements Install Azure Application Consistent Snapshot tool page.

This section explains how to enable communication with the database. Ensure the database you're using is correctly selected from the tabs.

The snapshot tools issue commands to the IBM Db2 database using the command line processor db2 to enable and disable backup mode.

After putting the database in backup mode, azacsnap will query the IBM Db2 database to get a list of "protected paths", which are part of the database where backup-mode is active. This list is output into an external file, which is in the same location and basename as the log file, but with a ".<DBName>-protected-paths" extension (output filename detailed in the AzAcSnap log file).

AzAcSnap uses the IBM Db2 command line processor db2 to issue SQL commands, such as SET WRITE SUSPEND or SET WRITE RESUME. Therefore AzAcSnap should be installed in one of the following two ways:

  1. Installed onto the database server, then complete the setup with "Local connectivity".
  2. Installed onto a centralized backup system, then complete the setup with "Remote connectivity".

Local connectivity

If AzAcSnap has been installed onto the database server, then be sure to add the azacsnap user to the correct Linux group and import the Db2 instance user's profile per the following example setup.

azacsnap user permissions

The azacsnap user should belong to the same Db2 group as the database instance user. Here we are getting the group membership of the IBM Db2 installation's database instance user db2tst.

id db2tst

uid=1101(db2tst) gid=1001(db2iadm1) groups=1001(db2iadm1)

From the output we can confirm the db2tst user has been added to the db2iadm1 group, therefore add the azacsnap user to the group.

usermod -a -G db2iadm1 azacsnap
azacsnap user profile

The azacsnap user will need to be able to execute the db2 command. By default the db2 command will not be in the azacsnap user's $PATH, therefore add the following to the user's .bashrc file using your own IBM Db2 installation value for INSTHOME.

# The following four lines have been added to allow this user to run the DB2 command line processor.
INSTHOME="/db2inst/db2tst"
if [ -f ${INSTHOME}/sqllib/db2profile ]; then
    . ${INSTHOME}/sqllib/db2profile
fi

Test the user can run the db2 command line processor.

su - azacsnap
db2

(c) Copyright IBM Corporation 1993,2007
Command Line Processor for DB2 Client 11.5.7.0

You can issue database manager commands and SQL statements from the command
prompt. For example:
    db2 => connect to sample
    db2 => bind sample.bnd

For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
 ? CATALOG DATABASE for help on the CATALOG DATABASE command
 ? CATALOG          for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND OPTIONS.

For more detailed help, refer to the Online Reference Manual.

db2 => quit
DB20000I  The QUIT command completed successfully.

Now configure azacsnap to user localhost. Once this is working correctly go on to configure (azacsnap -c configure) with the serverAddress=localhost and test (azacsnap -c test --test db2) azacsnap database connectivity.

Remote connectivity

If AzAcSnap has been installed following option 2, then be sure to allow SSH access to the Db2 database instance per the following example setup.

Log in to the AzAcSnap system as the azacsnap user and generate a public/private SSH key pair.

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/azacsnap/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/azacsnap/.ssh/id_rsa.
Your public key has been saved in /home/azacsnap/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4cr+0yN8/dawBeHtdmlfPnlm1wRMTO/mNYxarwyEFLU azacsnap@db2-02
The key's randomart image is:
+---[RSA 2048]----+
|         ... o.  |
|          . . +. |
|        .. E + o.|
|       ....   B..|
|        S. . o *=|
|     . .  . o o=X|
|      o. . +  .XB|
|     .  + + + +oX|
|      ...+ . =.o+|
+----[SHA256]-----+

Get the contents of the public key.

cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02

Log in to the IBM Db2 system as the Db2 Instance User.

Add the contents of the AzAcSnap user's public key to the Db2 Instance Users authorized_keys file.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02" >> ~/.ssh/authorized_keys

Log in to the AzAcSnap system as the azacsnap user and test SSH access.

ssh <InstanceUser>@<ServerAddress>

[InstanceUser@ServerName ~]$

Test the user can run the db2 command line processor.

db2

(c) Copyright IBM Corporation 1993,2007
Command Line Processor for DB2 Client 11.5.7.0

You can issue database manager commands and SQL statements from the command
prompt. For example:
    db2 => connect to sample
    db2 => bind sample.bnd

For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
 ? CATALOG DATABASE for help on the CATALOG DATABASE command
 ? CATALOG          for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND OPTIONS.

For more detailed help, refer to the Online Reference Manual.

db2 => quit
DB20000I  The QUIT command completed successfully.

[prj@db2-02 ~]$ exit

```output
logout
Connection to <serverAddress> closed.

Once this is working correctly go on to configure (azacsnap -c configure) with the Db2 server's external IP address and test (azacsnap -c test --test db2) azacsnap database connectivity.

Run the azacsnap test command

cd ~/bin
azacsnap -c test --test db2 --configfile Db2.json

BEGIN : Test process started for 'db2'
BEGIN : Db2 DB tests
PASSED: Successful connectivity to Db2 DB version v11.5.7.0
END   : Test process complete for 'db2'

Configuring the database

This section explains how to configure the data base.

No special database configuration is required for Db2 as we are using the Instance User's local operating system environment.

Configuring AzAcSnap

This section explains how to configure AzAcSnap for the specified database.

Note

Support for Db2 is Preview feature.
This section's content supplements Configure Azure Application Consistent Snapshot tool website page.

Details of required values

The following sections provide detailed guidance on the various values required for the configuration file.

Db2 Database values for configuration

When adding a Db2 database to the configuration, the following values are required:

  • Db2 Server's Address = The database server hostname or IP address.
    • If Db2 Server Address (serverAddress) matches '127.0.0.1' or 'localhost' then azacsnap will execute all db2 commands locally (refer "Local connectivity"). Otherwise AzAcSnap will use the serverAddress as the host to connect to via SSH using the "Instance User" as the SSH login name, this can be validated with ssh <instanceUser>@<serverAddress> replacing instanceUser and serverAddress with the respective values (refer "Remote connectivity").
  • Instance User = The database System Instance User.
  • SID = The database System ID.

Azure Managed Disk

Note

Support for Azure Managed Disk as a storage back-end is a Preview feature.
This section's content supplements Configure Azure Application Consistent Snapshot tool website page.

Microsoft provides many storage options for deploying databases such as SAP HANA. Many of these options are detailed on the Azure Storage types for SAP workload web page. Additionally there's a Cost conscious solution with Azure premium storage.

AzAcSnap is able to take application consistent database snapshots when deployed on this type of architecture (that is, a VM with Managed Disks). However, the set up for this platform is slightly more complicated as in this scenario we need to block I/O to the mountpoint (using xfs_freeze) before taking a snapshot of the Managed Disks in the mounted Logical Volume(s).

Important

The Linux system must have xfs_freeze available to block disk I/O.

Caution

Take extra care to configure AzAcSnap with the correct mountpoints (filesystems) because xfs_freeze blocks I/O to the device specified by the Azure Managed Disk mount-point. This could inadvertently block a running application until azacsnap finishes running.

Architecture at a high level:

  1. Azure Managed Disks attached to the VM using the Azure portal.
  2. Logical Volume is created from these Managed Disks.
  3. Logical Volume mounted to a Linux directory.
  4. Service Principal should be created in the same way as for Azure NetApp Files in AzAcSnap installation.
  5. Install and Configure AzAcSnap.

    Note

    The configurator has a new option to define the mountpoint for the Logical Volume. This parameter gets passed to xfs_freeze to block the I/O (this happens after the database is put into backup mode). After the I/O cache has been flushed (dependent on Linux kernel parameter fs.xfs.xfssyncd_centisecs).

  6. Install and Configure xfs_freeze to be run as a non-privileged user:

    1. Create an executable file called $HOME/bin/xfs_freeze with the following content.

      #!/bin/sh
/usr/bin/sudo /usr/sbin/xfs_freeze $1 $2

    2. Create a sudoers file called /etc/sudoers.d/azacsnap to allow the azacsnap user to run xfs_freeze with the following content:

      #
# What: azacsnap
# Why: Allow the azacsnap user to run "specific" commands with elevated privileges.
#
# User_Alias = SAP HANA Backup administrator user.
User_Alias      AZACSNAP = azacsnap
#
AZACSNAP ALL=(ALL) NOPASSWD: /usr/sbin/xfs_freeze

    3. Test the azacsnap user can freeze and unfreeze I/O to the target mountpoint by running the following as the azacsnap user.

      Note

      In this example we run each command twice to show it worked the first time as there's no command to confirm if xfs_freeze has frozen I/O.

      Freeze I/O.

      su - azacsnap
xfs_freeze -f /hana/data
xfs_freeze -f /hana/data

      xfs_freeze: cannot freeze filesystem at /hana/data: Device or resource busy

      Unfreeze I/O.

      su - azacsnap
xfs_freeze -u /hana/data
xfs_freeze -u /hana/data

      xfs_freeze: cannot unfreeze filesystem mounted at /hana/data: Invalid argument

Example configuration file

Here's an example config file, note the hierarchy for the dataVolume, mountpoint, azureManagedDisks:

{
  "version": "5.1 Preview",
  "logPath": "./logs",
  "securityPath": "./security",
  "comments": [],
  "database": [
    {
      "hana": {
        "serverAddress": "127.0.0.1",
        "sid": "P40",
        "instanceNumber": "00",
        "hdbUserStoreName": "AZACSNAP",
        "savePointAbortWaitSeconds": 600,
        "autoDisableEnableBackint": false,
        "hliStorage": [],
        "anfStorage": [],
        "amdStorage": [
          {
            "dataVolume": [
              {
                "mountPoint": "/hana/data",
                "azureManagedDisks": [
                  {
                    "resourceId": "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Compute/disks/<disk01>",
                    "authFile": "azureauth.json"
                  },
                  {
                    "resourceId": "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Compute/disks/<disk02>",
                    "authFile": "azureauth.json"
                  }
                ]
              }
            ],
            "otherVolume": []
          }
        ]
      },
      "oracle": null
    }
  ]
}

Virtual machine storage layout

The storage hierarchy looks like the following example for SAP HANA:

  • SAP HANA Database data files:

    /hana/data/mnt00001

  • Mountpoint:

    /dev/mapper/hanadata-hanadata on /hana/data type xfs

  • Logical Volume

    lvdisplay

    --- Logical volume ---
LV Path                /dev/hanadata/hanadata
LV Name                hanadata
VG Name                hanadata

  • Volume Group

    vgdisplay

    --- Volume group ---
VG Name               hanadata
System ID
Format                lvm2
Metadata Areas        2
Metadata Sequence No  2
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                1
Open LV               1
Max PV                0
Cur PV                2
Act PV                2
VG Size               1023.99 GiB

  • Physical Volume(s) (attached Azure Managed Disks)

    pvdisplay

    --- Physical volume ---
PV Name               /dev/sdd
VG Name               hanadata
PV Size               512.00 GiB / not usable 4.00 MiB
Allocatable           yes (but full)
PE Size               4.00 MiB
Total PE              131071
Free PE               0
Allocated PE          131071
PV UUID               K3yhxN-2713-lk4k-c3Pc-xOJQ-sCkD-8ZE6YX
--- Physical volume ---
PV Name               /dev/sdc
VG Name               hanadata
PV Size               512.00 GiB / not usable 4.00 MiB
Allocatable           yes (but full)
PE Size               4.00 MiB
Total PE              131071
Free PE               0
Allocated PE          131071
PV UUID               RNCylW-F3OG-G93c-1XL3-W6pw-M0XB-2mYFGV

Installing and setting up the Azure VM and Azure Managed Disks in this way follows Microsoft guidance to create LVM stripes of the Managed Disks on the VM.

With the Azure VM set up as prescribed, AzAcSnap can take snapshots of Azure Managed Disks. The snapshot operations are similar to those for other storage back-ends supported by AzAcSnap (for example, Azure NetApp Files, Azure Large Instance (Bare Metal)). Because AzAcSnap communicates with the Azure Resource Manager to take snapshots, it also needs a Service Principal with the correct permissions to take managed disk snapshots.

This capability allows customers to test/trial AzAcSnap on a smaller system and scale-up to Azure NetApp Files and/or Azure Large Instance (Bare Metal).

Supported azacsnap command functionality with Azure Managed Disks is 'configure', 'test', 'backup', 'delete', 'details', but not yet 'restore'.

Restore from an Azure Managed Disk snapshot

Although azacsnap is currently missing the -c restore option for Azure Managed Disks, it’s possible to restore manually as follows:

  1. Creating disks from the snapshots via the Azure portal.

    Note

    Be sure to create the disks in the same Availability Zone as the target VM.

  2. Connect the disks to the VM via the Azure portal.

  3. Log in to the VM as the root user and scan for the newly attached disks using dmesg or pvscan:

    1. Using dmesg:

      dmesg | tail -n30

      [2510054.252801] scsi 5:0:0:2: Direct-Access     Msft     Virtual Disk     1.0  PQ:0 ANSI: 5
[2510054.262358] scsi 5:0:0:2: Attached scsi generic sg4 type 0
[2510054.268514] sd 5:0:0:2: [sde] 1073741824 512-byte logical blocks: (550 GB/512 GiB)
[2510054.272583] sd 5:0:0:2: [sde] 4096-byte physical blocks
[2510054.275465] sd 5:0:0:2: [sde] Write Protect is off
[2510054.277915] sd 5:0:0:2: [sde] Mode Sense: 0f 00 10 00
[2510054.278566] sd 5:0:0:2: [sde] Write cache: disabled, read cache: enabled, supports DPO and FUA
[2510054.314269] sd 5:0:0:2: [sde] Attached SCSI disk
[2510054.573135] scsi 5:0:0:3: Direct-Access     Msft     Virtual Disk     1.0  PQ: 0 ANSI: 5
[2510054.579931] scsi 5:0:0:3: Attached scsi generic sg5 type 0
[2510054.584505] sd 5:0:0:3: [sdf] 1073741824 512-byte logical blocks: (550 GB/512 GiB)
[2510054.589293] sd 5:0:0:3: [sdf] 4096-byte physical blocks
[2510054.592237] sd 5:0:0:3: [sdf] Write Protect is off
[2510054.594735] sd 5:0:0:3: [sdf] Mode Sense: 0f 00 10 00
[2510054.594839] sd 5:0:0:3: [sdf] Write cache: disabled, read cache: enabled, supports DPO and FUA
[2510054.627310] sd 5:0:0:3: [sdf] Attached SCSI disk

    2. Using pvscan:

      saphana:~ # pvscan

      WARNING: scan found duplicate PVID RNCylWF3OGG93c1XL3W6pwM0XB2mYFGV on /dev/sde
WARNING: scan found duplicate PVID K3yhxN2713lk4kc3PcxOJQsCkD8ZE6YX on /dev/sdf
WARNING: Not using device /dev/sde for PV RNCylW-F3OG-G93c-1XL3-W6pw-M0XB-2mYFGV.
WARNING: Not using device /dev/sdf for PV K3yhxN-2713-lk4k-c3Pc-xOJQ-sCkD-8ZE6YX.
WARNING: PV RNCylW-F3OG-G93c-1XL3-W6pw-M0XB-2mYFGV prefers device /dev/sdc because device is used by LV.
WARNING: PV K3yhxN-2713-lk4k-c3Pc-xOJQ-sCkD-8ZE6YX prefers device /dev/sdd because device is used by LV.
PV /dev/sdd   VG hanadata        lvm2 [512.00 GiB / 0    free]
PV /dev/sdc   VG hanadata        lvm2 [512.00 GiB / 0    free]
Total: 2 [1023.99 GiB] / in use: 2 [1023.99 GiB] / in no VG: 0 [0   ]

  4. Import a Volume Group Clone from the disks using vgimportclone as the root user:

    vgimportclone --basevgname hanadata_adhoc /dev/sde /dev/sdf

    WARNING: scan found duplicate PVID RNCylWF3OGG93c1XL3W6pwM0XB2mYFGV on /dev/sde
WARNING: scan found duplicate PVID K3yhxN2713lk4kc3PcxOJQsCkD8ZE6YX on /dev/sdf
WARNING: Not using device /dev/sde for PV RNCylW-F3OG-G93c-1XL3-W6pw-M0XB-2mYFGV.
WARNING: Not using device /dev/sdf for PV K3yhxN-2713-lk4k-c3Pc-xOJQ-sCkD-8ZE6YX.
WARNING: PV RNCylW-F3OG-G93c-1XL3-W6pw-M0XB-2mYFGV prefers device /dev/sdc because device is used by LV.
WARNING: PV K3yhxN-2713-lk4k-c3Pc-xOJQ-sCkD-8ZE6YX prefers device /dev/sdd because device is used by LV.

  5. Activate the Logical Volume using pvscan and vgchange as root user:

    pvscan --cache

    pvscan[23761] PV /dev/sdc online.
pvscan[23761] PV /dev/sdd online.
pvscan[23761] PV /dev/sde online.
pvscan[23761] PV /dev/sdf online.

    vgchange -ay hanadata_adhoc

    1 logical volume(s) in volume group "hanadata_adhoc" now active

  6. Mount the logical volume as the root user:

    Important

    Use the mount -o rw,nouuid options, otherwise volume mounting will fail due to duplicate UUIDs on the VM.

    mount -o rw,nouuid /dev/hanadata_adhoc/hanadata /mnt/hanadata_adhoc

  7. Then access the data:

    ls /mnt/hanadata_adhoc/

    software  write-test.txt

Azure Key Vault

From AzAcSnap v5.1, it's possible to store the Service Principal securely as a Secret in Azure Key Vault. Using this feature allows for centralization of Service Principal credentials where an alternate administrator can set up the Secret for AzAcSnap to use.

The steps to follow to set up Azure Key Vault and store the Service Principal in a Secret are as follows:

  1. Within an Azure Cloud Shell session, make sure you're logged on at the subscription where you want to create the Azure Key Vault:

    az account show

  2. If the subscription isn't correct, use the following command to set the Cloud Shell to the correct subscription:

    az account set -s <subscription name or id>

  3. Create Azure Key Vault

    az keyvault create --name "<AzureKeyVaultName>" -g <ResourceGroupName>

  4. Create the trust relationship and assign the policy for virtual machine to get the Secret

    1. Show AzAcSnap virtual machine Identity

      If the virtual machine already has an identity created, retrieve it as follows:

      az vm identity show --name "<VMName>" --resource-group "<ResourceGroup>"

      The "principalId" in the output is used as the --object-id value when setting the Policy with az keyvault set-policy.

      {
  "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "tenantId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "type": "SystemAssigned, UserAssigned",
  "userAssignedIdentities": { 
    "/subscriptions/99z999zz-99z9-99zz-99zz-9z9zz999zz99/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2": {
      "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
      "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99"
    }
  }
}

    2. Set AzAcSnap virtual machine Identity (if necessary)

      If the VM doesn't have an identity, create it as follows:

      az vm identity assign --name "<VMName>" --resource-group "<ResourceGroup>"

      The "systemAssignedIdentity" in the output is used as the --object-id value when setting the Policy with az keyvault set-policy.

      {
  "systemAssignedIdentity": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "userAssignedIdentities": {
    "/subscriptions/99z999zz-99z9-99zz-99zz-  9z9zz999zz99/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2": {
      "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
      "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99"
    }
  }
}

    3. Assign a suitable policy for the virtual machine to be able to retrieve the Secret from the Key Vault.

      az keyvault set-policy --name "<AzureKeyVaultName>" --object-id "<VMIdentity>" --secret-permissions get

  5. Create Azure Key Vault Secret

    Create the secret, which will store the Service Principal credential information.

    It's possible to paste the contents of the Service Principal. In the Bash Cloud Shell below a single apostrophe character is put after value then press the [Enter] key, then paste the contents of the Service Principal, close the content by adding another single apostrophe and press the [Enter] key.
    This command should create the Secret and store it in Azure Key Vault.

    Tip

    If you have a separate Service Principal per installation the "<NameOfSecret>" could be the SID, or some other suitable unique identifier.

    Following example is for using the Bash Cloud Shell:

    az keyvault secret set --name "<NameOfSecret>" --vault-name "<AzureKeyVaultName>" --value '
{
  "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "clientSecret": "<ClientSecret>",
  "subscriptionId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "tenantId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}'

    Following example is for using the PowerShell Cloud Shell:

    Warning

    In PowerShell the double quotes have to be escaped with an additional double quote, so one double quote (") becomes two double quotes ("").

    az keyvault secret set --name "<NameOfSecret>" --vault-name "<AzureKeyVaultName>" --value '
{
  ""clientId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",
  ""clientSecret"": ""<ClientSecret>"",
  ""subscriptionId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",
  ""tenantId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",
  ""activeDirectoryEndpointUrl"": ""https://login.microsoftonline.com"",
  ""resourceManagerEndpointUrl"": ""https://management.azure.com/"",
  ""activeDirectoryGraphResourceId"": ""https://graph.windows.net/"",
  ""sqlManagementEndpointUrl"": ""https://management.core.windows.net:8443/"",
  ""galleryEndpointUrl"": ""https://gallery.azure.com/"",
  ""managementEndpointUrl"": ""https://management.core.windows.net/""
}'

    The output of the command az keyvault secret set will have the URI value to use as "authFile" entry in the AzAcSnap JSON configuration file. The URI is the value of the "id" below (for example, "https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999").

    {
  "attributes": {
    "created": "2022-02-23T20:21:01+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2022-02-23T20:21:01+00:00"
  },
  "contentType": null,
  "id": "https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999",
  "kid": null,
  "managed": null,
  "name": "AzureAuth",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "\n{\n  \"clientId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n  \"clientSecret\": \"<ClientSecret>\",\n  \"subscriptionId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n  \"tenantId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n  \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com\",\n  \"resourceManagerEndpointUrl\": \"https://management.azure.com/\",\n  \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\",\n  \"sqlManagementEndpointUrl\": \"https://management.core.windows.net:8443/\",\n  \"galleryEndpointUrl\": \"https://gallery.azure.com/\",\n  \"managementEndpointUrl\": \"https://management.core.windows.net/\"\n}"
}

  6. Update AzAcSnap JSON configuration file

    Replace the value for the authFile entry with the Secret's ID value. Making this change can be done by editing the file using a tool like vi, or by using the azacsnap -c configure --configuration edit option.

    1. Old Value
    "authFile": "azureauth.json"
    1. New Value
    "authFile": "https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999"

Next steps