Microsoft Azure Container Service Engine

May 24, 2018 ยท View on GitHub

Service Principals

Overview

Service Accounts in Azure are tied to Active Directory Service Principals. You can read more about Service Principals and AD Applications: "Application and service principal objects in Azure Active Directory".

Kubernetes uses a Service Principal to talk to Azure APIs to dynamically manage resources such as User Defined Routes and L4 Load Balancers.

Creating a Service Principal

There are several ways to create a Service Principal in Azure Active Directory:

  • With the Azure CLI

    • Subscription level scope 
      az login
az account set --subscription="${SUBSCRIPTION_ID}"
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
    • Resource group level scope 
      az login
az account set --subscription="${SUBSCRIPTION_ID}"
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}"

    This will output your appId, password, name, and tenant. The name or appId may be used for the servicePrincipalProfile.clientId and the password is used for servicePrincipalProfile.secret.

    Confirm your service principal by opening a new shell and run the following commands substituting in name, password, and tenant:

    az login --service-principal -u NAME -p PASSWORD --tenant TENANT
az vm list-sizes --location westus

  • With PowerShell

    Instructions: "Use Azure PowerShell to create a service principal to access resources"

    To get you started quickly, the following are simplified instructions for creating a single-tenant AD application and a service principal with password authentication. Please read the full instructions above for proper RBAC setup of your application. Display name and URI are a friendly arbitrary name and address for your application.

    PS> Login-AzureRmAccount -SubscriptionId $subscriptionId
PS> $app = New-AzureRmADApplication -DisplayName $name -IdentifierUris $uri -Password $passwd
PS> New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
PS> New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

    The first command outputs your tenantId, used below. The $app.ApplicationId is used for the servicePrincipalProfile.clientId and the $passwd is used for servicePrincipalProfile.secret.

    Confirm your service principal by opening a new PowerShell session and running the following commands. Enter $app.ApplicationId for username.

    PS> $creds = Get-Credential
PS> Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -Credential $creds
PS> Get-AzureRmVMSize -Location westus

  • With the Portal

    Instructions: "Use portal to create Active Directory application and service principal that can access resources"