Configure OPC UA user authentication options for Azure IoT OPC UA Broker Preview to use
Important
Azure IoT Operations Preview – enabled by Azure Arc is currently in PREVIEW. You shouldn't use this preview software in production environments.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
In this article, you learn how to configure OPC UA user authentication options. These options provide more control over how OPC UA Broker Preview authenticates with OPC UA servers in your environment.
To learn more, see OPC UA applications - user authentication.
Prerequisites
A deployed instance of Azure IoT Operations Preview. To deploy Azure IoT Operations for demonstration and exploration purposes, see Quickstart: Deploy Azure IoT Operations – to an Arc-enabled Kubernetes cluster.
Features supported
| Feature | Supported |
|---|---|
| OPC UA user authentication with username and password. | ✅ |
| OPC UA user authentication with an X.509 user certificate. | ❌ |
Configure username and password authentication
First, configure the secrets for the username and password in Azure Key Vault and project them into the connected cluster by using a SecretProviderClass object.
Configure the username and password in Azure Key Vault. In the following example, use the
usernameandpasswordas secret references for the asset endpoint configuration in the Azure IoT Operations (preview) portal.Replace the placeholders for username and password with the credentials used to connect to the OPC UA server.
To configure the username and password, run the following code:
# Create username Secret in Azure Key Vault az keyvault secret set \ --name "username" \ --vault-name "<your-azure-key-vault-name>" \ --value "<your-opc-ua-server-username>" \ --content-type "text/plain" # Create password Secret in Azure Key Vault az keyvault secret set \ --name "password" \ --vault-name "<your-azure-key-vault-name>" \ --value "<your-opc-ua-server-username>" \ --content-type "text/plain"Configure the
aio-opc-ua-broker-user-authenticationcustom resource in the cluster. Use a Kubernetes client such askubectlto configure theusernameandpasswordsecrets in theSecretProviderClassobject array in the cluster.The following example shows a complete
SecretProviderClasscustom resource after you add the secrets:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: aio-opc-ua-broker-user-authentication namespace: azure-iot-operations spec: provider: azure parameters: usePodIdentity: 'false' keyvaultName: <azure-key-vault-name> tenantId: <azure-tenant-id> objects: | array: - | objectName: username objectType: secret objectVersion: "" - | objectName: password objectType: secret objectVersion: ""Note
The time it takes to project Azure Key Vault certificates into the cluster depends on the configured polling interval.
In the Azure IoT Operations (preview) portal, select the Username & password option when you configure the Asset endpoint. Enter the names of the references that store the username and password values. In this example, the names of the references are username and password.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for