# Add Cloud Credentials [Manager](https://itera.gitbook.io/taikun/user-guide-1/manager/cloud-credentials)/[Partner](https://itera.gitbook.io/taikun/user-guide-1/partner/cloud-credentials): Use your Credentials to sign to your Cloud in OpenStack, Amazon or Azure. If you are struggling with adding the clouds, try [Where to find credentials](https://itera.gitbook.io/taikun/guidelines/create-credentials/where-to-find-credentials) tab. Here are examples for each cloud: ## Openstack ### Requirements for Openstack {% hint style="danger" %} For Openstack: a taikun image must already exist in the openstack cloud. Requirement is an Ubuntu 20 image and we recommend using a recent kernel, e.g. a base Ubuntu image with hwe kernel here: To use the image in Taikun you have to use the tags "taikun" and "ubuntu{number}”. By default Taikun will take image with the latest {number}. Command to add an image to openstack: {% endhint %} `openstack image create --disk-format qcow2 --container-format bare --public --tag taikun --tag ubuntu20.04 --property hw_disk_bus=scsi --property hw_scsi_model=virtio-scsi taikun-focal-image --file taikun-image.qcow2` Add new CC: ![Openstack](https://2158992251-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQrhtis3vRAM281R7J%2F-MZqHiHgS_aGkP_E1fs0%2F-MZqNji7Obfx7tezgvDJ%2Fadd%20openstack.gif?alt=media\&token=d773a6c6-acbf-4140-af74-e0f7746bad99) *Cloud Name* - choose name for your Cloud Credentials (3-30 characters, e.g. cloud-test) *User -* your user name to OpenStack (e.g. user) *Password* - your password to OpenStack (e.g. 123abc) *URL* - Endpoint-Identity (e.g. ) *Domain* - insert domain name (e.g. default) *Project* - select Project if there are multiple options (e.g. my-cloud-project) *Region* - select Region if there are multiple options (e.g. RegionOne *Public Network* - choose network, if available (e.g. public2) Optional: *Specify Availability Zone* - check if you want to specify (e.g. pod04) *Volume Types* - check and choose type of volume (e.g. ssd) *Enable Import Network* - check if you want to enable {% hint style="danger" %} If you choose to import network, DNS in profile created in [*Access Profiles*](https://itera.gitbook.io/taikun/user-guide-1/manager/access-profiles) will be IGNORED. {% endhint %} ![](https://2158992251-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQrhtis3vRAM281R7J%2F-MOfUtRXfr96LI8W01qs%2F-MOg1FAjPJqaww-jMQn3%2Fenable%20import%20network.png?alt=media\&token=12410e78-2770-40d8-928e-a2f7d61aff34) {% hint style="warning" %} If the Credentials are invalid, you are notified and you won't be able to connect the cloud. {% endhint %} ## Amazon Web Services ![AWS](https://2158992251-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQrhtis3vRAM281R7J%2F-MZqHiHgS_aGkP_E1fs0%2F-MZqOrGxhZgTdaMmeM6x%2Fadd%20awx.gif?alt=media\&token=503bb2c1-457f-48fd-a66e-0cb7b558e5a6) *Cloud Name* - choose name for your Cloud Credentials (3-30 characters, e.g. cloud-test) *Access Key ID*, *Secret Access Key -* find your credentials in AWS account (under [*My Security Credentials*](https://itera.gitbook.io/taikun/guidelines/create-credentials/where-to-find-credentials#aws)) *Region* - choose suitable region *Availability Zone* - choose availability for the region ## Azure Before adding the Azure account, you have to create application registration with commands. ([source](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/azure.md)) {% hint style="info" %} This process is linux based, there might be some changes for other OS. {% endhint %} 1\) If you haven't install Azure CLI, you can do it with ``` sudo apt install azure-cli -y ``` 2\) Login ``` sudo apt-get install azure-cli ``` You will be redirected to azure web page where you choose your account. ![Web login](https://2158992251-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQrhtis3vRAM281R7J%2F-MZqHiHgS_aGkP_E1fs0%2F-MZq_x4qAJScpTQZMhOz%2Fazure%20web.png?alt=media\&token=eda4ef4d-53de-4e9c-8060-9e7cf6363c59) CLI output: ``` [ { "cloudName": "AzureCloud", "id": "c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6", "isDefault": true, "name": "Bezplatná zkušební verze", "state": "Enabled", "tenantId": "32xxxxb3-xxx-46b3-xxxx-0exxxxc46d1", "user": { "name": "usermail@gmail.com", "type": "user" } } ] ``` **AZURE SUBSCRIPTION ID** = "id": "c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6" **AZURE TENANT ID** = "tenantId": "32xxxxb3-xxx-46b3-xxxx-0exxxxc46d1" 3\) Create Azure App ``` az ad app create --display-name kubernetes --identifier-uris http://kubernetes --homepage http://example.com --password CLIENT_SECRET ``` *CLIENT\_SECRET* - change to your secret (can be deleted later) (e.g. "Ue9)Qj^V\~UYES3(C") **AZURE CLIENT SECRET** = CLIENT\_SECRET CLI output ``` { "acceptMappedClaims": null, "addIns": [], "allowGuestsSignIn": null, "allowPassthroughUsers": null, ! "appId": "7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558", ! "appLogoUrl": null, "appPermissions": null, "appRoles": [], "applicationTemplateId": null, "availableToOtherTenants": false, "deletionTimestamp": null, "displayName": "kubernetes", "errorUrl": null, "groupMembershipClaims": null, "homepage": "http://example.com", "identifierUris": [ "http://kubernetes" ], } ... { "adminConsentDescription": "Allow the application to access kubernetes on behalf of the signed-in user.", "adminConsentDisplayName": "Access kubernetes", "id": "59xxx87-xxxx-47b8-xxxx-1708xxxxefcd", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application to access kubernetes on your behalf.", "userConsentDisplayName": "Access kubernetes", "value": "user_impersonation" } ... } ``` **CLIENT ID** = "appId": "7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558" 4\) Create service principal for the app ``` az ad sp create --id appId ``` *appId* is provided from previous command, in this case: az ad sp create -id 7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558 CLI output: ``` { "accountEnabled": true, ... } ... "objectId": "85xxxxcb-xxxx-4761-xxxx-63fxxxx515e", "objectType": "ServicePrincipal", "odata.metadata": "https://graph.windows.net/32xxxxb3-xxxx-46b3-xxxx-0e33xxxx46d1/$metadata#directoryObjects/@Element", "odata.type": "Microsoft.DirectoryServices.ServicePrincipal", } ... ``` 5\) Create the role assignment ``` az role assignment create --role "Owner" --assignee http://kubernetes --subscription SUBSCRIPTION_ID ``` *SUBSCRIPTION\_ID* - subscription id from login command, in this case: az role assignment create --role "Owner" --assignee --subscription c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6 CLI output: ``` { "canDelegate": null, "id": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6/providers/Microsoft.Authorization/roleAssignments/4fxxxx7f-xxxx-4ccf-xxxx-7287xxxxfa14", "name": "4fxxxx7f-xxxx-4ccf-xxxx-7287xxxxfa14", "principalId": "85xxxxcb-xxxx-4761-xxxx-63ffxxxx515e", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6/providers/Microsoft.Authorization/roleDefinitions/8exxxx57-xxxx-443c-xxxx-2fe8xxxxb635", "scope": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6", "type": "Microsoft.Authorization/roleAssignments" } ``` Now you have all Azure Ids needed, but you can also find them in [**Azure portal**](https://itera.gitbook.io/taikun/guidelines/create-credentials/where-to-find-credentials#azure). Please be careful when inserting the credentials. If you add incorrect credentials, you will not be able to add flavor and then create cluster. ![Azure](https://2158992251-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJQrhtis3vRAM281R7J%2F-MZqHiHgS_aGkP_E1fs0%2F-MZqi1Kolt1N9oTadnnO%2Fadd%20azure.gif?alt=media\&token=363c2050-a0f7-476a-9bec-94fda50550f1) *Cloud Name* - choose name for your Cloud Credentials (3-30 characters, e.g. cloud-test) *Location* - choose suitable location *Availability Zone* - choose zone for the location