github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/deploy_aad_pod_dedicated_sp.md (about) 1 --- 2 title: "Deploy AAD Pod Identity with a Dedicated Service Principal" 3 linkTitle: "Deploy AAD Pod Identity with a Dedicated Service Principal" 4 weight: 2 5 description: > 6 To enable user to use a separate service principal (aad-pod-identity admin service principal) other than the cluster service principal and to move away from /etc/kubernetes/azure.json. 7 --- 8 9 > Available from 1.5 release 10 11 ## The why 12 13 Goal: To enable user to use a separate service principal (aad-pod-identity admin service principal) other than the cluster service principal and to move away from `/etc/kubernetes/azure.json`. 14 15 Users now have the option to deploy aad-pod-identity with a separate service principal which is together with its secret and other configurations stored in a Kubernetes secret object. 16 17 ## Permissions 18 19 The permission of the admin service principal needs to be 'Contributor' role over the scope of node resource group starting with "MC_". 20 21 Create a new service principal with the permission: 22 23 ```shell 24 az ad sp create-for-rbac -n "<sp_name>" --role "Contributor" --scopes "/subscriptions/<subscription-id>/resourceGroups/<MC_node_resource_group>" 25 ``` 26 27 > Note the `appId` (client id), `password` (secret) and `tenant` from the resulting json, which will be used in creating the admin secret. 28 29 Or assign the permission for an existing service principal: 30 31 ```shell 32 az role assignment create --role "Contributor" --assignee <sp_id> --scope "/subscriptions/<subscription-id>/resourceGroups/<MC_node_resource_group>" 33 ``` 34 35 For any subsequent user assigned managed identity that's intended for a pod, it's also required to grant the service principal 'Managed Identity Operator' permission (also stated [here](../../getting-started/role-assignment/)): 36 37 ```shell 38 az role assignment create --role "Managed Identity Operator" --assignee <sp_id> --scope <resource id of the managed identity> 39 ``` 40 41 ## Create the admin secret 42 43 The `aadpodidentity-admin-secret` contains the following fields: 44 45 * Cloud: `<base64-encoded-cloud>` 46 * 'Cloud' should be chosen from the following case-insensitive values: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`, `AzureGermanCloud` (values taken from [here](https://raw.githubusercontent.com/Azure/go-autorest/master/autorest/azure/environments.go)). 47 * SubscriptionID: `<base64-encoded-subscription-id>` 48 * ResourceGroup: `<base64-encoded-resource-group>` 49 * 'ResourceGroup' is the node resource group where the actual virtual machines or virtual machine scale set resides. 50 * VMType: `<base64-encoded-vm-type>` 51 * 'VMType' is optional and can be one of these values: `standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set. 52 * TenantID: `<base64-encoded-tenant-id>` 53 * ClientID: `<base64-encoded-client-id>` 54 * ClientSecret: `<base64-encoded-client-secret>` 55 * 'TenantID', 'ClientID' and 'ClientSecret' are service principal's `tenant`, `appId`, `password` respectively. 56 57 > Use `echo -n 'secret-content' | base64` to create a base64 encoded string. 58 59 Fill out those secret values in the /deploy/infra/noazurejson/deployment.yaml or /deploy/infra/noazurejson/deployment-rbac.yaml before executing `kubectl create -f ./deploy/infra/noazurejson/deployment.yaml` or `kubectl create -f ./deploy/infra/noazurejson/deployment-rbac.yaml`. 60 61 > Note that if not use the above yaml's, `aadpodidentity-admin-secret` must be created before deploying `mic` and `mic` must reference the secret as shown in the yaml's. 62 63 The secret will be injected as an environment variable into `mic` upon pod creation and cannot be updated during the lifecycle of `mic`. However, redeploying `mic` should pick up the updated service principal's information should they change.