Pivotal Cloud Foundry v1.10

Preparing to Deploy PCF on Azure

Page last updated:

This topic describes how to prepare to deploy Pivotal Cloud Foundry (PCF) on Azure by creating a service principal to access resources in your Azure subscription.

After you complete this procedure, follow the instructions in either the Launching an Ops Manager Director Instance with an ARM Template topic or the Launching an Ops Manager Director Instance on Azure without an ARM Template topic.

Step 1: Install and Configure the Azure CLI

  1. Use the azure --version command to verify you have installed Azure CLI v0.10.5 or higher.

    $ azure --version
    If you have the correct version of the Azure CLI installed, skip the next step.

  2. To install a new or updated Azure CLI, follow the instructions for your operating system:

    • Mac OS X: Download and run the Mac OS X Azure CLI installer.
    • Windows: Download and run the Windows Azure CLI installer. Use the command line, not PowerShell, to run the Azure CLI.
    • Linux:
      1. If not already installed, install Node.js and npm.
      2. Download the Linux Azure CLI tar file.
      3. Run sudo npm install -g PATH-TO-TAR-FILE.
      4. If you encounter the error /usr/bin/env: node: No such file or directory when running azure commands, run sudo ln -s /usr/bin/nodejs /usr/bin/node.
  3. Set the mode of the Azure CLI to Azure Resource Management:

    $ azure config mode arm
  4. Log in to your Azure account:

    $ azure login --environment AzureCloud

    Note: To target the Azure China environment, replace AzureCloud with AzureChinaCloud. If logging in to AzureChinaCloud fails with a CERT_UNTRUSTED error, use the latest version of node, 4.x or later.

Step 2: Set Your Default Subscription

  1. Run azure account list --json to list your Azure subscriptions:

    $ azure account list --json
      "id": "12345678-1234-5678-1234-567891234567",
      "name": "Sample Subscription",
      "user": {
        "name": "Sample Account",
        "type": "user"
      "tenantId": "11111111-1234-5678-1234-678912345678",
      "state": "Enabled",
      "isDefault": true,
      "registeredProviders": [],
      "environmentName": "AzureCloud"
      "id": "87654321-1234-5678-1234-678912345678",
      "name": "Sample Subscription1",
      "user": {
        "name": "Sample Account1",
        "type": "user"
      "tenantId": "22222222-1234-5678-1234-678912345678",
      "state": "Enabled",
      "isDefault": false,
      "registeredProviders": [],
      "environmentName": "AzureCloud"
  2. Locate your default subscription by finding the subscription with isDefault set to true. If your default subscription is not where you want to deploy PCF, run azure account set SUBSCRIPTION_ID to set a new default, where SUBSCRIPTION_ID is the value of the id field. For example: "87654321-1234-5678-1234-567891234567".

    $ azure account set SUBSCRIPTION_ID
    info:  Executing command account set
    info:  Setting subscription to "Sample Subscription" with id "SUBSCRIPTION-ID".
    info:  Changes saved
    info:  account set command OK
  3. Record the value of the id set as the default. You use this value in future configuration steps.

  4. Record the value of tenantID for your default subscription. This is your TENANT_ID for creating a service principal. If your tenantID value is not defined, you may be using a personal account to log in to your Azure subscription.

Step 3: Create an Azure Active Directory (AAD) Application

  1. Run the following command to create an AAD application, replacing PASSWORD with a password of your choice. This is your CLIENT_SECRET for creating a service principal.

    $ azure ad app create --name "Service Principal for BOSH" \
    --password "PASSWORD" --home-page "http://BOSHAzureCPI" \
    --identifier-uris "http://BOSHAzureCPI"

    Note: You can provide any string for the home-page and identifier-uris flags, but the value of identifer-uris must be unique within the organization associated with your Azure subscription. For the home-page, Pivotal recommends using http://BOSHAzureCPI, as shown in the example above.

  2. Record the value of AppId from the output. This is your APPLICATION_ID for creating a service principal.

    info:    Executing command ad app create
    + Creating application Service Principal for BOSH
    data:    AppId:                   246e4af7-75b5-494a-89b5-363addb9f0fa
    data:    ObjectId:                208096bb-4899-49e2-83ea-1a270154f427
    data:    DisplayName:             Service Principal for BOSH
    data:    IdentifierUris:          0=http://BOSHAzureCPI
    data:    ReplyUrls:
    data:    AvailableToOtherTenants:  False
    info:    ad app create command OK

Step 4: Create and Configure a Service Principal

  1. To create a service principal, run azure ad sp create --applicationId YOUR-APPLICATION-ID, replacing YOUR-APPLICATION-ID with the APPLICATION_ID you recorded in the previous step:

    $ azure ad sp create --applicationId YOUR-APPLICATION-ID
    info:    Executing command ad sp create
    + Creating service principal for application YOUR-APPLICATION-ID
    data:    Object Id:               fcf68d7a-262b-42c4-8ef8-6a4856611155
    data:    Display Name:            Service Principal for BOSH
    data:    Service Principal Names:
    data:                             YOUR-APPLICATION-ID
    data:                             http://BOSHAzureCPI
    info:    ad sp create command OK
  2. You must have the Contributor role on your service principal to deploy PCF. Run the following command to assign this role:

    $ azure role assignment create --spn "SERVICE-PRINCIPAL-NAME" \
    --roleName "Contributor" --subscription SUBSCRIPTION-ID

    • For SERVICE-PRINCIPAL-NAME: Use any value of Service Principal Names from the output above, such as YOUR-APPLICATION-ID.
    • For SUBSCRIPTION-ID: Use the ID of the default subscription that you recorded in Step 2.

    Note: If you need to use multiple resource groups for your PCF deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy PCF to pre-existing network resources outside the PCF resource group. For more information, see Reference Architecture for Pivotal Cloud Foundry on Azure.

    For more information about Azure Role-Based Access Control, refer to RBAC: Built-in roles.

  3. Verify the assignment by running the following command:

    $ azure role assignment list --spn "SERVICE-PRINCIPAL-NAME"
    info:    Executing command role assignment list
    + Searching for role assignments
    data:    RoleAssignmentId     : /subscriptions/112a3bbc-44de-56ff-a7b8-9a012bbc3456/providers/Microsoft.Authorization/roleAssignments/061581af-118b-45e9-95a5-4e4ccf22c75d
    data:    RoleDefinitionName   : Contributor
    data:    RoleDefinitionId     : b24988ac-6180-42a0-ab88-20f7382dd24c
    data:    Scope                : /subscriptions/112a3bbc-44de-56ff-a7b8-9a012bbc3456
    data:    Display Name         : Service Principal for BOSH
    data:    SignInName           : undefined
    data:    ObjectId             : 11b11a1-11c1-1111-a222-3df3f33e333f
    data:    ObjectType           : ServicePrincipal
    info:    role assignment list command OK

Step 5: Verify Your Service Principal

To verify your service principal, log in to your service principal with your APPLICATION_ID, CLIENT_SECRET, and TENANT_ID. Replace YOUR-ENVIRONMENT with AzureCloud or AzureChinaCloud.

$ azure login --username APPLICATION_ID --password CLIENT_SECRET \
--service-principal --tenant TENANT_ID --environment YOUR-ENVIRONMENT
info:    Executing command login
-info:    Added subscription Example
info:    login command OK

If you cannot log in, the service principal is invalid. Create a new service principal and try again.

After you complete this topic, continue to one of the following topics:

Create a pull request or raise an issue on the source for this page in GitHub