public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-01 18:53:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Syncing for #1304 (#1314)

Browse Source 
* 1293 Creating an AKS Cluster page may need a refresh

* consistent variable name and styling

* waffling on whether app or client ID should be primary

* --skip-assignment is deprecated

according to https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac by default the az ad sp create-for-rbac command does not assign any role to the service principal

* slightly modifying command based on https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac

* re-orging instructions and revising wording

* consistent variable names, assorted suggestions

* syncing versions

* missing changes

* Apply suggestions from code review

Co-authored-by: Billy Tat <btat@suse.com>

* correcting copy/paste error

---------

Co-authored-by: Billy Tat <btat@suse.com>
This commit is contained in:
Marty Hernandez Avedon
2024-06-04 17:43:05 -04:00
committed by GitHub
parent 42989a7850
commit a4be67af23
6 changed files with 85 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files
versioned_docs/version-2.5/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-clusters-from-hosted-kubernetes-providers/aks.md
+14 -24
View File
@@ -19,7 +19,7 @@ Before creating the service principal, you need to obtain the following informat
- Your subscription ID
- Your tenant ID
- An app ID (also called a client ID)
- Client ID (also known as app ID)
- Client secret
- A resource group
@@ -27,45 +27,35 @@ The below sections describe how to set up these prerequisites using either the A
### Setting Up the Service Principal with the Azure Command Line Tool
You can create the service principal by running this command:
You must assign roles to the service principal so that it has communication privileges with the AKS API. It also needs access to create and list virtual networks.
In the following example, the command creates the service principal and gives it the Contributor role. The Contributor role can manage anything on AKS but cannot give access to others. Note that you must provide `scopes` a full path to at least one Azure resource:
```
az ad sp create-for-rbac --skip-assignment
az ad sp create-for-rbac --role Contributor --scopes /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>
```
The result should show information about the new service principal:
```
{
"appId": "xxxx--xxx",
"displayName": "<SERVICE-PRINCIPAL-NAME>",
"name": "http://<SERVICE-PRINCIPAL-NAME>",
"password": "<SECRET>",
"tenant": "<TENANT NAME>"
"displayName": "<service-principal-name>",
"name": "http://<service-principal-name>",
"password": "<secret>",
"tenant": "<tenant-name>"
}
```
You also need to add roles to the service principal so that it has privileges for communication with the AKS API. It also needs access to create and list virtual networks.
Below is an example command for assigning the Contributor role to a service principal. Contributors can manage anything on AKS but cannot give access to others:
The following creates a [Resource Group](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli) to contain your Azure resources:
```
az role assignment create \
--assignee $appId \
--scope /subscriptions/$<SUBSCRIPTION-ID>/resourceGroups/$<GROUP> \
--role Contributor
```
You can also create the service principal and give it Contributor privileges by combining the two commands into one. In this command, the scope needs to provide a full path to an Azure resource:
```
az ad sp create-for-rbac \
--scope /subscriptions/$<SUBSCRIPTION-ID>/resourceGroups/$<GROUP> \
--role Contributor
az group create --location <azure-location-name> --resource-group <resource-group-name>
```
### Setting Up the Service Principal from the Azure Portal
You can also follow these instructions to set up a service principal and give it role-based access from the Azure Portal.
Follow these instructions to set up a service principal and give it role-based access from the Azure Portal.
1. Go to the Microsoft Azure Portal [home page](https://portal.azure.com).
@@ -75,7 +65,7 @@ You can also follow these instructions to set up a service principal and give it
1. Click **New registration.**
1. Enter a name. This will be the name of your service principal.
1. Enter a name for your service principal.
1. Optional: Choose which accounts can use the service principal.