# Azure subscriptions
{% hint style="danger" %}
Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.
{% endhint %}
{% hint style="warning" %}
Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.
{% endhint %}
This guide explains how to access an Azure subscription from Instruqt.
> An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to.
>
> — Azure documentation
## Before you begin
You must have already built a track to which you can add access to an Azure subscription.
## Access Azure subscriptions
It is best to add the [Instruqt Cloud Client](/sandboxes/cloud-accounts/cloud-client.md) container to your track to give a learner access to an Azure subscription. Because the Instruqt Cloud Client:
* Exposes links to the Azure portal for the resources configured in the `config.yml` file, with the credentials required to log in.
* Includes the `az` CLI, pre-configured with the required credentials.
The Azure portal and the `az` CLI make it easy for content developers and learners to access Azure subscription resources from the sandbox.
It takes the following steps to give learners access to an Azure subscription:
1. Add an [Instruqt Cloud Client](/sandboxes/cloud-accounts/cloud-client.md) container to your track.
2. Add an Azure subscription to your track.
3. Add tabs to your challenges where you want to expose the Azure portal or `az` CLI.
Additionally, you can use:
* A set of environment variables that are available in the `az` CLI.
* Azure built-in roles.
### Step 1: Add an Instruqt Cloud Client container to your track
More information can be found in the [cloud client](/sandboxes/cloud-accounts/cloud-client.md) section.
### Step 2: Add an Azure subscription to your track
{% tabs %}
{% tab title="🌐 Web UI" %}
1. Click **+ Add a cloud account** on the *Sandbox* page.
2. Select the **Azure** provider.
3. In the **Name** field, enter `azuresubscription`.
4. In the **Services** field, select the services that are going to be enabled.
5. In the **Regions** field, select the regions that are going to be enabled.
6. In the **User** **Roles** field, specify the desired roles for the end user.
7. In the **Admin Roles** field, specify the desired roles for the admin user.
8. Click **Save** to add the Azure subscription.\
↳ On the *Sandbox* page, you will see the new Azure subscription.
9. Click **Back to track** to return to the *Track dashboard* page.
{% endtab %}
{% tab title="💻 Instruqt CLI" %}
1. Copy and paste the following code into `config.yml`:
```yaml
azure_subscriptions:
- name: azuresubscription
services: []
regions: []
roles: []
```
↳ Your `config.yml` file should be similar to this now:
```yaml
version: "3"
containers:
- name: cloud-client
image: gcr.io/instruqt/cloud-client
ports: [80]
shell: /bin/bash
memory: 256
azure_subscriptions:
- name: azuresubscription
services: []
regions: []
roles: []
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
In the **Roles** field, only provide access to services that are strictly needed to prevent abuse. [See Access role for more details](#azure-built-in-roles).
{% endhint %}
{% hint style="warning" %}
Only enabled **services** and **regions** configured by the team administrator can be selected and/or specified. See more details in [Cloud services and regions](/sandboxes/manage/cloud-services-and-regions.md)
{% endhint %}
{% hint style="info" %}
When specifying Admin Roles, an additional admin user and application will be created with the designated roles.
For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.
Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.
{% endhint %}
### Step 3: Add tabs to expose the Azure portal and `az` CLI
{% tabs %}
{% tab title="🌐 Web UI" %}
1. In the **Challenges** section of the *Track dashboard*, click **Add new** followed by **Assignment.**
2. Enter/select these values:
| Field | Value |
|---|
| Tab name | Azure subscription |
| URL | azure-subscription |
| Description | Learn about Azure |
3. Click **Save.**
4. Click **Tabs** followed by **Add new tab**.
5. Select the **Your applications** tab type.
6. Enter/select these values to set the Azure portal:
| Field | Value |
|---|
| Tab name | Azure Portal |
| Select your host | cloud-client |
| Path | / |
| Port | 80 |
7. Click **Save** to add the tab.
8. Click **Add new tab** again.
9. Select the **Terminal** tab type.
10. Enter/select these values to set the `gcloud` CLI:
| Field | Value |
|---|
| Tab name | az CLI |
| Host | cloud-client |
11. Click **Save** to add the tab.
12. Click the track name to return to the *Track dashboard*.
13. Click **Play track** and test your Azure subscription.
{% endtab %}
{% tab title="💻 Instruqt CLI" %}
1. Open a terminal and move to your track directory.
2. Enter the following command to create a new challenge:
```md
instruqt challenge create --title "AzureSubscription"
```
↳ Instruqt CLI created a directory for the challenge. And an `assignment.md` file inside the challenge directory.
3. Open the `assignment.md` file in your code editor.
4. Copy and paste the following code into `assignment.md` to set the Azure portal and `az` CLI:
```md
---
slug: azure-challenge
type: challenge
title: Azure subscription
teaser: Learn to work with an Azure subscription
tabs:
- title: Azure Portal
type: service
hostname: cloud-client
path: /
port: 80
- title: az CLI
type: terminal
hostname: cloud-client
difficulty: basic
timelimit: 600
---
```
⇨ You can add the assignment text of your liking in Markdown after line 17.
5. Save file `assignment.md`.
6. Push the track to the Instruqt platform:
```xml
instruqt track push
```
7. Play and test the track:
```xml
instruqt track open
```
↳ Your browser opens, showing the Track overview page.\
Click **Start track** to play the track.
{% endtab %}
{% endtabs %}
{% hint style="success" %}
Great! Your learners can now access Azure subscriptions. But there is more. You can also give them access to:
* [GCP projects](/sandboxes/cloud-accounts/gcp-projects.md)
* [AWS accounts](/sandboxes/cloud-accounts/aws-accounts.md)
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.instruqt.com/sandboxes/cloud-accounts/azure-subscriptions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.