3.6 KiB
Microsoft Azure Container Service Engine
Service Principals
Overview
Service Accounts in Azure are tied to Active Directory Service Principals. You can read more about Service Principals and AD Applications: "Application and service principal objects in Azure Active Directory".
Kubernetes uses a Service Principal to talk to Azure APIs to dynamically manage resources such as User Defined Routes and L4 Load Balancers.
Creating a Service Principal
There are several ways to create a Service Principal in Azure Active Directory:
-
With the Azure CLI
- Subscription level scope
az login az account set --subscription="${SUBSCRIPTION_ID}" az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
- Resource group level scope
az login az account set --subscription="${SUBSCRIPTION_ID}" az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}"
This will output your
appId
,password
,name
, andtenant
. Thename
orappId
may be used for theservicePrincipalProfile.clientId
and thepassword
is used forservicePrincipalProfile.secret
.Confirm your service principal by opening a new shell and run the following commands substituting in
name
,password
, andtenant
:az login --service-principal -u NAME -p PASSWORD --tenant TENANT az vm list-sizes --location westus
- Subscription level scope
-
With PowerShell
Instructions: "Use Azure PowerShell to create a service principal to access resources"
To get you started quickly, the following are simplified instructions for creating a single-tenant AD application and a service principal with password authentication. Please read the full instructions above for proper RBAC setup of your application. Display name and URI are a friendly arbitrary name and address for your application.
PS> Login-AzureRmAccount -SubscriptionId $subscriptionId PS> $app = New-AzureRmADApplication -DisplayName $name -IdentifierUris $uri -Password $passwd PS> New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId PS> New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
The first command outputs your
tenantId
, used below. The$app.ApplicationId
is used for theservicePrincipalProfile.clientId
and the$passwd
is used forservicePrincipalProfile.secret
.Confirm your service principal by opening a new PowerShell session and running the following commands. Enter
$app.ApplicationId
for username.PS> $creds = Get-Credential PS> Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -Credential $creds PS> Get-AzureRmVMSize -Location westus
-
With the Portal
Instructions: "Use portal to create Active Directory application and service principal that can access resources"