Add Azure Government Subscription fails

I’m trying to add a Azure Government subscription to my demo server.

I’ve added the Subscription ID, downloaded the generated certificate file, logged into Azure Government portal and added the certificate to the Account Settings page. Clicked Save and Test and during the testing it failed with an error.

Unable to verify Azure Account : Azure Management Certificate is not authorized to manage the Azure Subscription The Management Certificate configured for this account is not authorized to manage the Azure Subscription. In the Azure Management Portal check Settings -> Management Certificates and upload the Management Certificate for this account. See :
http://g.octopusq.com/WindowsAzure Exception: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with the subscription.

Hi,

Thanks for getting in touch.

Because Azure US Government is a separate instance of the global Azure cloud, the endpoints for certain services are different, so the account “Save and Test” method that ships with Octopus Server will not work if you’re communicating with Azure US Government, China or Germany.

You can still save your account in the Octopus web portal, you just won’t be able to use the test functionality in the account screen.

Once you’ve saved your account and Azure has your management certificate uploaded, that leads you to the next problem … any Azure-related deployment steps that you create ( Deploy an Azure Cloud Service or Deploy an Azure Web App ) will not work unless you tell Octopus about the Azure US Government endpoints it needs to communicate with.

We added a fix for this issue that allows you to override these URLs in version 3.7.14 of Octopus Server, so you will need to be running at least this version in order to continue.

In order to tell Octopus about these US Government endpoints, firstly we need to determine what name Azure has set for the various non-global environments. To do this, you’d run this command in PowerShell:

Get-AzureEnvironment |Select Name

We can see a value named AzureUSGovernment in that list, which is what you’re interested in.

To then determine the list of endpoints, you would run this PowerShell command:

Get-AzureEnvironment -Name AzureUSGovernment

That will give you this list of US Government endpoints:

Name                                     : AzureUSGovernment
EnableAdfsAuthentication                 : False
ActiveDirectoryServiceEndpointResourceId : https://management.core.usgovcloudapi.net/
AdTenant                                 :
GalleryUrl                               : https://gallery.usgovcloudapi.net/
ManagementPortalUrl                      : https://manage.windowsazure.us
ServiceManagementUrl                     : https://management.core.usgovcloudapi.net/
PublishSettingsFileUrl                   : https://manage.windowsazure.us/publishsettings/index
ResourceManagerUrl                       : https://management.usgovcloudapi.net/
SqlDatabaseDnsSuffix                     : .database.usgovcloudapi.net
StorageEndpointSuffix                    : core.usgovcloudapi.net
ActiveDirectoryAuthority                 : https://login-us.microsoftonline.com/
GraphUrl                                 : https://graph.windows.net/
TrafficManagerDnsSuffix                  : usgovtrafficmanager.net
AzureKeyVaultDnsSuffix                   : vault.usgovcloudapi.net
AzureKeyVaultServiceEndpointResourceId   : https://vault.usgovcloudapi.net

You are interested in the ResourceManagerUrl and ServiceManagementUrl values.

When you’re setting up your deployments, you will need to set the following variables (as part of your project to their equivalent value from the list above:

Octopus.Action.Azure.ResourceManagementEndPoint
Octopus.Action.Azure.ServiceManagementEndPoint

Then when your deployments are executing, they will call out to those correct US Government endpoints.

We are still in the process of updating our documentation to help explain this, and we have a current issue where we aim to improve support for this a via the UI, but for now those steps above should do the trick.

Hope this helps.

Cheers
Mark

Mark,

Thank you for the detailed response.

I’ve added the two Azure URLs to my project as Project Variables. In our continuous deployment, we’re building and deploying to Azure Commercial, so I set their initial values to the US Azure Commercial URLs, then tried to add a Deploy to Testing step using our “Azure QA Account”. I could select the account from the drop down, but when the Azure Cloud Service step queried to find the “Cloud Service” and “Storage Account”, I received the same error as before (ForbiddenError).

Thinking that defining the variables using the US Azure Commercial URLs, I edited the Project Variables and set them to their US Government values. Then went back to define the “Deploy to Testing” step. This failed again with the same ForbiddenError.

I just downloaded Octopus Deploy and are setting it up as an evaluation to see if it can meet our needs as we build out our SASS solution.

Since I don’t manage the QA environment, I’ll get with our testing team in the morning and have them verify using their Azure US Government subscription by following the steps you outlined below.

Mark,

I tried this morning and no luck getting it to work.

Here are the steps we went through.

Log into our Azure Government Site (https://manage.windowsazure.us) and take note of the SubscriptionId.

Using our demo Octopus server, we create a new project, defined two project variables and define our first step, Deploy an Azure Cloud Service.

In Step Details, I choose the Package ID of the package I want to deploy, select the Azure Government Account and immediately Cloud Service and Storage Account fail with “ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and associated with this subscription”

When we created the Azure Government Account, I entered the Azure Subscription Id and some general information and clicked Save. Then went back to Edit Account, and downloaded the generated certificate file and subsequently logged into Azure Government Management and using the Classic Portal, uploaded the certificate to the appropriate subscription id.

Hi,

Unfortunately the dropdowns in the UI will not work when trying to select your cloud-service. Setting those project variables will only fix the deployment execution, but the UI when setting up your step will still not function properly for non-global Azure regions (we’ll be fixing this as part of this issue in the near future).

To get around this and let you actually setup and save your step, you’ll need to do the following:

  • Select your account from the “Account” field dropdown (wait for the ForbiddenError error message)
  • Then click the little checkbox next to the account dropdown and select “Use a custom expression”
    • when you do this, you should see your account name in its plain form (eg. azuresubscrtiption-...)
  • For the “Cloud service” field, you can now enter your cloud-service name into the textarea (use the same name as it appears in Azure)
  • Do the same for the “Storage account” field

Then you should be able to save your step and test an actual deployment.

Unfortunately we don’t have access to a USGovernment, China or German Azure subscription to test this, but other customers ran into this issue from Germany and were able to get this working, so we believe those steps above should let you create your step.

From what you’ve mentioned, we believe you’ve setup everything else correctly. Once you can save your step you can test an actual deployment.

Let me know if that all makes sense and how you go.

Cheers
Mark