Configure OPC UA user authentication options for the connector for OPC UA
Important
Azure IoT Operations Preview – enabled by Azure Arc is currently in preview. You shouldn't use this preview software in production environments.
You'll need to deploy a new Azure IoT Operations installation when a generally available release is made available. You won't be able to upgrade a preview installation.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
In this article, you learn how to configure OPC UA user authentication options. These options provide more control over how the connector for OPC UA authenticates with OPC UA servers in your environment.
To learn more, see OPC UA applications - user authentication.
Prerequisites
A deployed instance of Azure IoT Operations Preview. To deploy Azure IoT Operations for demonstration and exploration purposes, see Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s.
Features supported
Feature | Supported |
---|---|
OPC UA user authentication with username and password. | ✅ |
OPC UA user authentication with an X.509 user certificate. | ❌ |
Configure username and password authentication
First, configure the secrets for the username and password in Azure Key Vault and project them into the connected cluster by using a SecretProviderClass
object.
Configure the username and password in Azure Key Vault. In the following example, use the
username
andpassword
as secret references for the asset endpoint configuration in the operations experience web UI.Replace the placeholders for username and password with the credentials used to connect to the OPC UA server.
To configure the username and password, run the following code:
# Create username Secret in Azure Key Vault az keyvault secret set \ --name "username" \ --vault-name "<your-azure-key-vault-name>" \ --value "<your-opc-ua-server-username>" \ --content-type "text/plain" # Create password Secret in Azure Key Vault az keyvault secret set \ --name "password" \ --vault-name "<your-azure-key-vault-name>" \ --value "<your-opc-ua-server-password>" \ --content-type "text/plain"
Configure the
aio-opc-ua-broker-user-authentication
custom resource in the cluster. Use a Kubernetes client such askubectl
to configure theusername
andpassword
secrets in theSecretProviderClass
object array in the cluster.The following example shows a complete
SecretProviderClass
custom resource after you add the secrets:apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: aio-opc-ua-broker-user-authentication namespace: azure-iot-operations spec: provider: azure parameters: usePodIdentity: 'false' keyvaultName: <azure-key-vault-name> tenantId: <azure-tenant-id> objects: | array: - | objectName: username objectType: secret objectVersion: "" - | objectName: password objectType: secret objectVersion: ""
Note
The time it takes to project Azure Key Vault certificates into the cluster depends on the configured polling interval.
In the operations experience, select the Username & password option when you configure the Asset endpoint. Enter the names of the references that store the username and password values. In this example, the names of the references are username
and password
.