Setting up Packer and Azure

You should follow the documentation here. However, one thing is missing. When you use the Azure CLI to generate a service account you are not provided with the accurate ObjectId for the Active Directory Service Principal.

As a result, if you put the wrong value in the “object_id” field in the packer variables file you will invariably run into this error:

“ERROR: -> Forbidden : Access denied”

“…failed to get certificate URL, retry(0)”

“…failed to get certificate URL, retry(1)”

“…failed to get certificate URL, retry(2)”

“…failed to get certificate URL, retry(3)”

Until it finally bombs out.

I haven’t figured out how to get this value from the Azure CLI but I have using PowerShell.

First login.

Then display a list of the Azure AD Service Principals:

Find the Service Principal with an ApplicationId that matches the field found in the Azure Portal highlighted below:

Your packer variables file should have the following:

  1. client_id: Service Principal’s Application ID
  2. client_secret: Password you setup for this Service Principal
  3. tenant_id: Azure Active Directory tenant ID
  4. subscription_id: Azure Subscription ID
  5. object_id: Service Principal’s Object ID
  6. Resource_group_name: Name of an existing resource group where packer can deploy the machine images to

After grabbing the ObjectId, everything works simply by running this command to build my image in azure:

packer build -var-file=variables-prod.json active-directory-dc.json


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s