Skip to content

Latest commit

 

History

History
58 lines (38 loc) · 4.18 KB

credentials.md

File metadata and controls

58 lines (38 loc) · 4.18 KB
Raw

Service Principal

Before proceeding with the OpenShift install, you should create a service principal with administrative rights for your subscription following the steps outlined here:

Azure: Creating an Service Principal

Step 1: Create a Service Principal

You can create a Service Principal using the Azure portal or the Azure cli

Step 2: Request permissions for the Service Principal from Tenant Administrator

In order to properly mint credentials for components in the cluster, your service principal needs to request for the following Application permissions before you can deploy OpenShift on Azure: Azure Active Directory Graph -> Application.ReadWrite.OwnedBy

You can request permissions using the Azure portal or the Azure cli.

Requesting permissions using the Azure cli

Find the AppId for your service principal by using,

$ az ad sp list --show-mine -otable
AccountEnabled    AppDisplayName     AppId                                 AppOwnerTenantId                      AppRoleAssignmentRequired    DisplayName        Homepage                   ObjectId                              ObjectType        Odata.type                                    PublisherName    ServicePrincipalType    SignInAudience
----------------  -----------------  ------------------------------------  ------------------------------------  ---------------------------  -----------------  -------------------------  ------------------------------------  ----------------  --------------------------------------------  ---------------  ----------------------  ----------------
...

Use can request Application.ReadWrite.OwnedBy permission by using,

az ad app permission add --id <AppId> --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role

NOTE: Application.ReadWrite.OwnedBy permission is granted to the the application only after it is provided an Admin Consent by the Tenant Administrator.

Step 3: Attach Administrative Role

Azure installer creates new identities for the cluster and therefore requires access to create new roles, and role assignments. Therefore, you will require the service principal to have at least Contributor and User Access Administrator roles assigned in your subscription.

You can create role assignments for your service principal using the Azure portal or the Azure cli

Step 4: Acquire Client Secret

You need to save the client secret values to configure your local machine to run the installer. This step is your opportunity to collect those values, and additional credentials can be added to the service principal in the Azure portal if you didn't capture them.

You can get client secret for your service principal using the Azure portal or the Azure cli