github.com/openshift/installer@v1.4.17/docs/user/azure/credentials.md

github.com/openshift/installer@v1.4.17/docs/user/azure/credentials.md (about)

     1  # Service Principal
     2  
     3  Before proceeding with the OpenShift install, you should create a service principal with administrative rights for your subscription following the steps
     4  outlined here:
     5  
     6  [Azure: Creating an Service Principal][sp-create]
     7  
     8  ## Step 1: Create a Service Principal
     9  
    10  You can create a Service Principal using the Azure [portal][sp-create-portal] or the Azure [cli][sp-create-cli]
    11  
    12  ## Step 2: Request permissions for the Service Principal from Tenant Administrator
    13  
    14  In order to properly mint credentials for components in the cluster, your service principal needs to request for the following Application [permissions][ad-permissions] before you can deploy OpenShift on Azure: `Azure Active Directory Graph -> Application.ReadWrite.OwnedBy`
    15  
    16  You can request permissions using the Azure portal or the Azure cli.
    17  
    18  ### Requesting permissions using the Azure cli
    19  
    20  Find the AppId for your service principal by using,
    21  
    22  ```console
    23  $ az ad sp list --show-mine -otable
    24  AccountEnabled    AppDisplayName     AppId                                 AppOwnerTenantId                      AppRoleAssignmentRequired    DisplayName        Homepage                   ObjectId                              ObjectType        Odata.type                                    PublisherName    ServicePrincipalType    SignInAudience
    25  ----------------  -----------------  ------------------------------------  ------------------------------------  ---------------------------  -----------------  -------------------------  ------------------------------------  ----------------  --------------------------------------------  ---------------  ----------------------  ----------------
    26  ...
    27  ```
    28  
    29  Use can request `Application.ReadWrite.OwnedBy` permission by using,
    30  
    31  ```sh
    32  az ad app permission add --id <AppId> --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
    33  ```
    34  
    35  NOTE: `Application.ReadWrite.OwnedBy` permission is granted to the the application only after it is provided an [`Admin Consent`][ad-admin-consent] by the Tenant Administrator.
    36  
    37  ## Step 3: Attach Administrative Role
    38  
    39  Azure installer creates new identities for the cluster and therefore requires access to create new roles, and role assignments. Therefore, you will require the service principal to have at least `Contributor` and `User Access Administrator` [roles][built-in-roles] assigned in your subscription.
    40  
    41  You can create role assignments for your service principal using the Azure [portal][sp-assign-portal] or the Azure [cli][sp-assign-cli]
    42  
    43  ## Step 4: Acquire Client Secret
    44  
    45  You need to save the client secret values to configure your local machine to run the installer. This step is your opportunity to collect those values, and additional credentials can be added to the service principal in the Azure portal if you didn't capture them.
    46  
    47  You can get client secret for your service principal using the Azure [portal][sp-creds-portal] or the Azure [cli][sp-creds-cli]
    48  
    49  [ad-admin-consent]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent#types-of-consent
    50  [ad-permissions]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent
    51  [sp-create]: https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-create-service-principals
    52  [sp-create-portal]: https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-create-service-principals#create-service-principal-for-azure-ad
    53  [sp-create-cli]: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest#create-a-service-principal
    54  [built-in-roles]: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
    55  [sp-assign-portal]: https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-create-service-principals#assign-the-service-principal-to-a-role
    56  [sp-assign-cli]: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest#manage-service-principal-roles
    57  [sp-creds-portal]: https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-create-service-principals#get-credentials
    58  [sp-creds-cli]: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest#reset-credentials