| title | description | author | ms.service | ms.topic | ms.author | ms.date | topic | keywords | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|
Creating and using a service principal with an Azure Red Hat OpenShift cluster |
In this how-to article, learn how to create and use a service principal with an Azure Red Hat OpenShift cluster using Azure CLI or the Azure portal. |
rahulm23 |
azure-redhat-openshift |
how-to |
rahulmehta |
03/21/2022 |
how-to |
azure, openshift, aro, red hat, azure CLI, azure portal |
azure-red-hat-openshift-service-principal |
To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires an Azure Active Directory (AD) service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry (ACR). For more information, see Application and service principal objects in Azure Active Directory.
This article explains how to create and use a service principal to deploy your Azure Red Hat OpenShift clusters using the Azure command-line interface (Azure CLI) or the Azure portal.
Note
Service principals expire in one year unless configured for longer periods. For information on extending your service principal expiration period, see Rotate service principal credentials for your Azure Red Hat OpenShift (ARO) Cluster.
::: zone pivot="aro-azurecli"
The following sections explain how to create and use a service principal to deploy an Azure Red Hat OpenShift cluster.
If you’re using the Azure CLI, you’ll need Azure CLI version 2.0.59 or later installed and configured. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
Run the following Azure CLI command to create a resource group.
AZ_RG=$(az group create -n test-aro-rg -l eastus2 --query name -o tsv)
To assign the contributor role and scope the service principal to the Azure Red Hat OpenShift resource group, run the following command.
# Get Azure subscription ID
AZ_SUB_ID=$(az account show --query id -o tsv)
# Create a service principal with contributor role and scoped to the Azure Red Hat OpenShift resource group
az ad sp create-for-rbac -n "test-aro-SP" --role contributor --scopes "/subscriptions/${AZ_SUB_ID}/resourceGroups/${AZ_RG}"
The output is similar to the following example.
{
"appId": "",
"displayName": "myAROClusterServicePrincipal",
"name": "http://myAROClusterServicePrincipal",
"password": "yourpassword",
"tenant": "yourtenantname"
}
Note
This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well.
To grant permissions to an existing service principal with the Azure portal, see Create an Azure AD app and service principal in the portal.
Using the service principal that you created when you created the Azure Red Hat OpenShift cluster, use the az aro create command to deploy the Azure Red Hat OpenShift cluster. Use the --client-id and --client-secret parameters to specify the appId and password from the output of the az ad sp create-for-rbac command, as shown in the following command.
az aro create \
--resource-group myResourceGroup \
--name myAROCluster \
--client-id <appID> \
--client-secret <password>
Important
If you're using an existing service principal with a customized secret, ensure the secret doesn't exceed 190 bytes.
::: zone-end
::: zone pivot="aro-azureportal"
The following sections explain how to use the Azure portal to create a service principal for your Azure Red Hat OpenShift cluster.
Create a service principal, as explained in Use the portal to create an Azure AD application and service principal that can access resources. Be sure to save the client ID and the appID.
To use the service principal you created to deploy a cluster, complete the following steps.
-
On the Create Azure Red Hat OpenShift Basics tab, create a resource group for your subscription, as shown in the following example.
:::image type="content" source="./media/basics-openshift-sp.png" alt-text="Screenshot that shows how to use the Azure Red Hat service principal with Azure portal to create a cluster." lightbox="./media/basics-openshift-sp.png":::
-
Select Next: Authentication to configure the service principal on the Authentication page of the Azure Red Hat OpenShift dialog.
:::image type="content" source="./media/openshift-service-principal-portal.png" alt-text="Screenshot that shows how to use the Authentication tab with Azure portal to create a service principal." lightbox="./media/openshift-service-principal-portal.png":::
In the Service principal information section:
- Service principal client ID is your appId.
- Service principal client secret is the service principal's decrypted Secret value.
In the Cluster pull secret section:
- Pull secret is your cluster's pull secret's decrypted value. If you don't have a pull secret, leave this field blank.
After completing this tab, select Next: Networking to continue deploying your cluster. Select Review + Create when you complete the remaining tabs.
Note
This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well.
To grant permissions to an existing service principal with the Azure portal, see Create an Azure AD app and service principal in the portal.
::: zone-end