Menu Close

3.8.3.6. Creating a service principal

Because OpenShift Container Platform and its installation program must create Microsoft Azure resources through Azure Resource Manager, you must create a service principal to represent it.

Prerequisites

  • Install or update the Azure CLI.
  • Install the jq package.
  • Your Azure account has the required roles for the subscription that you use.

Procedure

  1. Log in to the Azure CLI:

    $ az login

    Log in to Azure in the web console by using your credentials.

  2. If your Azure account uses subscriptions, ensure that you are using the right subscription.

    1. View the list of available accounts and record the tenantId value for the subscription you want to use for your cluster:

      $ az account list --refresh

      Example output

      [
        {
          "cloudName": "AzureCloud",
          "id": "9bab1460-96d5-40b3-a78e-17b15e978a80",
          "isDefault": true,
          "name": "Subscription Name",
          "state": "Enabled",
          "tenantId": "6057c7e9-b3ae-489d-a54e-de3f6bf6a8ee",
          "user": {
            "name": "you@example.com",
            "type": "user"
          }
        }
      ]

    2. View your active account details and confirm that the tenantId value matches the subscription you want to use:

      $ az account show

      Example output

      {
        "environmentName": "AzureCloud",
        "id": "9bab1460-96d5-40b3-a78e-17b15e978a80",
        "isDefault": true,
        "name": "Subscription Name",
        "state": "Enabled",
        "tenantId": "6057c7e9-b3ae-489d-a54e-de3f6bf6a8ee", 1
        "user": {
          "name": "you@example.com",
          "type": "user"
        }
      }

      1
      Ensure that the value of the tenantId parameter is the UUID of the correct subscription.
    3. If you are not using the right subscription, change the active subscription:

      $ az account set -s <id> 1
      1
      Substitute the value of the id for the subscription that you want to use for <id>.
    4. If you changed the active subscription, display your account information again:

      $ az account show

      Example output

      {
        "environmentName": "AzureCloud",
        "id": "33212d16-bdf6-45cb-b038-f6565b61edda",
        "isDefault": true,
        "name": "Subscription Name",
        "state": "Enabled",
        "tenantId": "8049c7e9-c3de-762d-a54e-dc3f6be6a7ee",
        "user": {
          "name": "you@example.com",
          "type": "user"
        }
      }

  3. Record the values of the tenantId and id parameters from the previous output. You need these values during OpenShift Container Platform installation.
  4. Create the service principal for your account:

    $ az ad sp create-for-rbac --role Contributor --name <service_principal> 1
    1
    Replace <service_principal> with the name to assign to the service principal.

    Example output

    Changing "<service_principal>" to a valid URI of "http://<service_principal>", which is the required format used for service principal names
    Retrying role assignment creation: 1/36
    Retrying role assignment creation: 2/36
    Retrying role assignment creation: 3/36
    Retrying role assignment creation: 4/36
    {
      "appId": "8bd0d04d-0ac2-43a8-928d-705c598c6956",
      "displayName": "<service_principal>",
      "name": "http://<service_principal>",
      "password": "ac461d78-bf4b-4387-ad16-7e32e328aec6",
      "tenant": "6048c7e9-b2ad-488d-a54e-dc3f6be6a7ee"
    }

  5. Record the values of the appId and password parameters from the previous output. You need these values during OpenShift Container Platform installation.
  6. Grant additional permissions to the service principal. The service principal requires the legacy Azure Active Directory Graph → Application.ReadWrite.OwnedBy permission and the User Access Administrator role for the cluster to assign credentials for its components.

    1. To assign the User Access Administrator role, run the following command:

      $ az role assignment create --role "User Access Administrator" \
          --assignee-object-id $(az ad sp list --filter "appId eq '<appId>'" \ 1
             | jq '.[0].objectId' -r)
      1
      Replace <appId> with the appId parameter value for your service principal.
    2. To assign the Azure Active Directory Graph permission, run the following command:

      $ az ad app permission add --id <appId> \ 1
           --api 00000002-0000-0000-c000-000000000000 \
           --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
      1
      Replace <appId> with the appId parameter value for your service principal.

      Example output

      Invoking "az ad app permission grant --id 46d33abc-b8a3-46d8-8c84-f0fd58177435 --api 00000002-0000-0000-c000-000000000000" is needed to make the change effective

      For more information about the specific permissions that you grant with this command, see the GUID Table for Windows Azure Active Directory Permissions.

    3. Approve the permissions request. If your account does not have the Azure Active Directory tenant administrator role, follow the guidelines for your organization to request that the tenant administrator approve your permissions request.

      $ az ad app permission grant --id <appId> \ 1
           --api 00000002-0000-0000-c000-000000000000
      1
      Replace <appId> with the appId parameter value for your service principal.