Azure subscriptions
Give learners access to Azure subscriptions.
This guide explains how to access an Azure subscription from Instruqt.
An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to.
— Azure documentation
Before you begin
You must have already built a track to which you can add access to an Azure subscription.
Access Azure subscriptions
It is best to add the Instruqt Cloud Client container to your track to give a learner access to an Azure subscription. Because the Instruqt Cloud Client:
Exposes links to the Azure portal for the resources configured in the
config.yml
file, with the credentials required to log in.Includes the
az
CLI, pre-configured with the required credentials.
The Azure portal and the az
CLI make it easy for content developers and learners to access Azure subscription resources from the sandbox.
It takes the following steps to give learners access to an Azure subscription:
Add an Instruqt Cloud Client container to your track.
Add an Azure subscription to your track.
Add tabs to your challenges where you want to expose the Azure portal or
az
CLI.
Additionally, you can use:
A set of environment variables that are available in the
az
CLI.Azure built-in roles.
Access to Resource Providers is restricted for maintaining security and protecting tracks from abuse cases that utilize providers irrelevant to the Instruqt tracks' scope.
A resource provider is a collection of REST operations that enables functionality for an Azure service.
Below are the Resource Providers that are allowed to be used in Azure subscriptions. If you need access to an additional provider, please contact support.
Step 1: Add an Instruqt Cloud Client container to your track
Click the track where you want to add an Azure subscription to.
In the Sandbox section, click Edit to open the Sandbox page.
Click + Add a host. ↳ The Add host page opens.
Pick the Container host type.
Enter/select these values:
FieldValueHostname
cloud-client
Image type
Choose your own
Image
gcr.io/instruqt/cloud-client
Click Show optional settings. Enter these values:
FieldValuePorts
80
Shell
/bin/bash
Click Save host to add the container.
Step 2: Add an Azure subscription to your track
Click + Add a cloud account on the Sandbox page.
Select the Azure provider.
In the Name field, enter
azuresubscription
.In the Services field, select the services that are going to be enabled.
In the Regions field, select the regions that are going to be enabled.
In the User Roles field, specify the desired roles for the end user.
In the Admin Roles field, specify the desired roles for the admin user.
Click Save to add the Azure subscription. ↳ On the Sandbox page, you will see the new Azure subscription.
Click Back to track to return to the Track dashboard page.
In the Roles field, only provide access to services that are strictly needed to prevent abuse. See Access role for more details.
Only enabled services and regions configured by the team administrator can be selected and/or specified. See more details in Cloud services and regions
When specifying Admin Roles, an additional admin user and application will be created with the designated roles.
For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.
Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.
Step 3: Add tabs to expose the Azure portal and az
CLI
az
CLIIn the Challenges section of the Track dashboard, click Add new followed by Assignment.
Enter/select these values:
FieldValueTab name
Azure subscription
URL
azure-subscription
Description
Learn about Azure
Click Save.
Click Tabs followed by Add new tab.
Select the Your applications tab type.
Enter/select these values to set the Azure portal:
FieldValueTab name
Azure Portal
Select your host
cloud-client
Path
/
Port
80
Click Save to add the tab.
Click Add new tab again.
Select the Terminal tab type.
Enter/select these values to set the
gcloud
CLI:FieldValueTab name
az CLI
Host
cloud-client
Click Save to add the tab.
Click the track name to return to the Track dashboard.
Click Play track and test your Azure subscription.
Environment variables
Adding an Azure subscription to your track also sets a list of environment variables that you can use in commands and scripts:
Environment variable
Description
INSTRUQT_AZURE_SUBSCRIPTIONS
A comma-separated list of project names that can be used to fill ${NAME} in the variables below
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_NAME
The subscription display name
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_ID
The subscription ID
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_USERNAME
The username that can be used to sign into the Azure portal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_PASSWORD
The password that can be used to sign into the Azure portal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_ID
The application ID for the service principal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_PASSWORD
The password for the service principal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_TENANT_ID
The tenant ID for this subscription
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_ADMIN_USERNAME
The username that can be used to sign into the Azure portal as the admin user
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_ADMIN_PASSWORD
The password that can be used to sign into the Azure portal as the admin user
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_ADMIN_SPN_ID
The application ID for the admin service principal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_ADMIN_SPN_PASSWORD
The password for the admin service principal
Example
This example shows the id of the Azure subscription from a terminal by using two environment variables. The value of the INSTRUQT_AZURE_SUBSCRIPTIONS
environment variable is inserted in the INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_ID
environment variable.
To follow along:
Start your Azure subscription track and start the first challenge.
Move over to the
Cloud CLI
terminal and enter the following command:↳ The terminal shows the id of your Azure subscription.
Azure built-in roles
The roles
option allows you to choose one or more Azure built-in roles to grant access to your Azure subscription. See Azure built-in roles that you can apply.
You might start with the role Virtual Machine Contributor
which gives the learner the ability to spin up and configure Azure virtual machines:
Update your Azure subscription by entering the following in the Assigned Roles field:
And clicking Add.
Great! Your learners can now access Azure subscriptions. But there is more. You can also give them access to:
Last updated