aks-engine/docs/serviceprincipal.md

3.6 KiB

Microsoft Azure Container Service Engine

Service Principals

Overview

Service Accounts in Azure are tied to Active Directory Service Principals. You can read more about Service Principals and AD Applications: "Application and service principal objects in Azure Active Directory".

Kubernetes uses a Service Principal to talk to Azure APIs to dynamically manage resources such as User Defined Routes and L4 Load Balancers.

Creating a Service Principal

There are several ways to create a Service Principal in Azure Active Directory:

  • With the Azure CLI

    • Subscription level scope
      az login
      az account set --subscription="${SUBSCRIPTION_ID}"
      az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
      
    • Resource group level scope
      az login
      az account set --subscription="${SUBSCRIPTION_ID}"
      az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}"
      

    This will output your appId, password, name, and tenant. The name or appId may be used for the servicePrincipalProfile.clientId and the password is used for servicePrincipalProfile.secret.

    Confirm your service principal by opening a new shell and run the following commands substituting in name, password, and tenant:

    az login --service-principal -u NAME -p PASSWORD --tenant TENANT
    az vm list-sizes --location westus
    
  • With PowerShell

    Instructions: "Use Azure PowerShell to create a service principal to access resources"

    To get you started quickly, the following are simplified instructions for creating a single-tenant AD application and a service principal with password authentication. Please read the full instructions above for proper RBAC setup of your application. Display name and URI are a friendly arbitrary name and address for your application.

    PS> Login-AzureRmAccount -SubscriptionId $subscriptionId
    PS> $app = New-AzureRmADApplication -DisplayName $name -IdentifierUris $uri -Password $passwd
    PS> New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
    PS> New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
    

    The first command outputs your tenantId, used below. The $app.ApplicationId is used for the servicePrincipalProfile.clientId and the $passwd is used for servicePrincipalProfile.secret.

    Confirm your service principal by opening a new PowerShell session and running the following commands. Enter $app.ApplicationId for username.

    PS> $creds = Get-Credential
    PS> Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -Credential $creds
    PS> Get-AzureRmVMSize -Location westus
    
  • With the Portal

    Instructions: "Use portal to create Active Directory application and service principal that can access resources"