Skip to content

Latest commit

 

History

History
62 lines (41 loc) · 3.37 KB

serviceprincipal.md

File metadata and controls

62 lines (41 loc) · 3.37 KB

Microsoft Azure Container Service Engine

Service Principals

Overview

Service Accounts in Azure are tied to Active Directory Service Principals. You can read more about Service Principals and AD Applications: "Application and service principal objects in Azure Active Directory".

Kubernetes uses a Service Principal to talk to Azure APIs to dynamically manage resources such as User Defined Routes and L4 Load Balancers.

Creating a Service Principal

There are several ways to create a Service Principal in Azure Active Directory:

  • With the Azure CLI

    az login
    az account set --subscription="${SUBSCRIPTION_ID}"
    az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"

    This will output your appId, password, name, and tenant. The name or appId may be used for the servicePrincipalProfile.servicePrincipalClientId and the password is used for servicePrincipalProfile.servicePrincipalClientSecret.

    Confirm your service principal by opening a new shell and run the following commands substituting in name, password, and tenant:

    az login --service-principal -u NAME -p PASSWORD --tenant TENANT
    az vm list-sizes --location westus
  • With PowerShell

    Instructions: "Use Azure PowerShell to create a service principal to access resources"

    To get you started quickly, the following are simplified instructions for creating a single-tenant AD application and a service principal with password authentication. Please read the full instructions above for proper RBAC setup of your application. Display name and URI are a friendly arbitrary name and address for your application.

    PS> Login-AzureRmAccount -SubscriptionId $subscriptionId
    PS> $app = New-AzureRmADApplication -DisplayName $name -IdentifierUris $uri -Password $passwd
    PS> New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
    PS> New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

    The first command outputs your tenantId, used below. The $app.ApplicationId is used for the servicePrincipalProfile.servicePrincipalClientId and the $passwd is used for servicePrincipalProfile.servicePrincipalClientSecret.

    Confirm your service principal by opening a new PowerShell session and running the following commands. Enter $app.ApplicationId for username.

    PS> $creds = Get-Credential
    PS> Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -Credential $creds
    PS> Get-AzureRmVMSize -Location westus
  • With the Portal

    Instructions: "Use portal to create Active Directory application and service principal that can access resources"