Cloud auto join in Azure

I have a consul cluster of 5 nodes running on VMs in Azure. The VMs are all configured with Managed service identities (MSI). When configuring auto join, can I ommit the service principal client Id and client secret? When configuring auto unseal for Vault, it allows me to use the MSI instead of having to hard code credentials to access Azure. Just wondering if Consul has the same capability

Consul does not currently support using the MSI but once the functionality makes it into go-discover with this PR. Consul can pull it in and gain that functionality.

1 Like

Hi @mkeeler

I just tested out cloud auto-join using the azure msi but it doesn’t seem to be working. It’s still looking for the client-id etc. I’m using consul version 1.6.2.

The PR you linked appears to be merged. Do you know if it made it into the 1.6.2 release?

this is the log stream

==> Consul agent running!
    2019/12/18 22:18:51 [INFO] agent: Retry join LAN is supported for: aliyun aws azure digitalocean gce k8s mdns os packet scaleway softlayer triton vsphere
    2019/12/18 22:18:51 [INFO] agent: Joining LAN cluster...
    2019/12/18 22:18:51 [ERR] agent: Cannot discover LAN provider=azure: discover-azure: parameter 'clientID' cannot be empty
    2019/12/18 22:18:51 [INFO] agent: (LAN) joining: [tag_name=consul_auto_join tag_value=rnd]
    2019/12/18 22:18:51 [WARN] memberlist: Failed to resolve tag_name=consul_auto_join: lookup tag_name=consul_auto_join: no such host
    2019/12/18 22:18:51 [WARN] memberlist: Failed to resolve tag_value=rnd: lookup tag_value=rnd: no such host
    2019/12/18 22:18:51 [WARN] agent: (LAN) couldn't join: 0 Err: 2 errors occurred:
        * Failed to resolve tag_name=consul_auto_join: lookup tag_name=consul_auto_join: no such host
        * Failed to resolve tag_value=rnd: lookup tag_value=rnd: no such host

I’ve tagged my VMs and the NICs for cloud auto join and below is an extract from my config file:

retry_join = [
  "provider=azure",
  "tag_name=consul_auto_join",
  "tag_value=rnd"
]

Hi Rob,

That change did not make it into 1.6.2.

go-discover was recently updated to 7ec2cfb in hashicorp/consul/pull/6865. This change is available in the current Consul 1.7 beta, if you’d like to test it out prior to the 1.7 GA release.

1 Like

Thanks Blake. Will try it out this evening.

Hi @blake

So I’ve done some initial testing and it definitely works; however, I may have uncovered a small bug in the UI. I want to do a deeper dive to confirm the bug and the UI behaviours under different configurations but wanted to ask, where are you tracking issues for 1.7-betas please?

Hi Rob,

Any open issues for 1.7 should be tracked here https://github.com/hashicorp/consul/milestone/45.

Feel free to open a new issue if you’ve run into something that isn’t already filed, or isn’t on that list.

1 Like

@blake and @mkeeler I’ve put in a PR to update the documentation to include the MSI support for cloud Auto-Join with Azure. https://github.com/hashicorp/consul/pull/7000 I’ve tested it successfully and very happy to have a secure way of authenticating against Azure. Great work folks. Thanks

2 Likes