How to deploy PAM with AZ CLI in Azure
search cancel

How to deploy PAM with AZ CLI in Azure

book

Article ID: 259769

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

This script is utilising the Azure CLI and demonstrates how to freshly deploy a PAM appliance into Azure in an automated way.

 

Environment

PAM 3.x, 4.x 

Cause

Although the Azure CLI is available for various OS this script is based on Linux. There should not be a problem to adjust it for other OS as well.

Resolution

## Variables - replace with what is suitable

RESOURCE_GROUP=myPAMrg

LOCATION=germanywestcentral

## to get a list of available azure locations run

## az account list-locations -o table

STORAGE_ACCOUNT=pamstorage$RANDOM

CONTAINER=pamvhdcontainer

PAMVHD="capam-3.4.0.424.vhd"

## put here the full path to the vhd file on your local box which is to be uploaded to Azure

PAMINSTANCENAME=PAM1

 

 

## Login to Azure e.g. as a Owner / Contributor of the Subscription

az login

 

 

## Create a resource group

az group create \

--name $RESOURCE_GROUP \

--location $LOCATION

 

## Create a storage account

az storage account create \

--name $STORAGE_ACCOUNT \

--resource-group $RESOURCE_GROUP \

--location $LOCATION \

--sku Standard_LRS

 

## In this example the storage account is only used to deploy the PAM vhd, hence Standard_LRS is sufficient.

## If the storage account is also to be used for storing the session recordings and DB backups redundant storage might be desirable instead, e.g. Standard_GRS

 

 

## Create a container

az storage container create \

--account-name $STORAGE_ACCOUNT \

--name $CONTAINER

 

 

## Upload the PAM vhd

az storage blob upload \

--account-name $STORAGE_ACCOUNT \

--container-name $CONTAINER \

--name pamvhd \

--file $PAMVHD

 

 

## Create the PAM OS Disk from the VHD in the Blob Storage.

az disk create \

--resource-group $RESOURCE_GROUP \

--name pamosdisk \

--source https://$STORAGE_ACCOUNT.blob.core.windows.net/$CONTAINER/pamvhd \

--size-gb 128 \

--os-type Linux \

--hyper-v-generation V1

 

## Create the PAM VM and attaching the OS Disks

az vm create \

--resource-group $RESOURCE_GROUP \

--name $PAMINSTANCENAME \

--attach-os-disk pamosdisk \

--os-type linux \

--nsg "" \

--size Standard_D16s_v4

At this step it might be desirable to specify additional parameters, e.g. an existing vnet-name / subnet in which to place the PAM appliance.

 

Give the VM a few mins to fully initialise, then access the PAM instance using the value of the publicIpAddress in the PAM Client or run this loop and wait until the URL appears

###############

while : ; do \

$(curl -k https://$(az network public-ip show \

--name $PAMINSTANCENAME"PublicIP" \

--resource-group $RESOURCE_GROUP \

--output tsv \

--query ipAddress)/health.php >&2) ;\

if [ $? -eq 0 ] ; then \

clear ;\

echo https://$(az network public-ip show \

--name $PAMINSTANCENAME"PublicIP" \

--resource-group $RESOURCE_GROUP \

--output tsv \

--query ipAddress)/cspm/home ;\

break ;\

fi ; \

done

###############

 

Once all PAM appliances are successfully deployed the earlier uploaded VHD in the blob container may be deleted to safe storage costs in Azure.

Additional Information

 

 

Powered by Wolken Software