Advanced Clusters > Setting up Microsoft Azure > Step 8. Create a service principal for the cluster
  

Step 8. Create a service principal for the cluster

Create a service principal to perform cluster operations on an advanced cluster. You will use this service principal to populate the advanced configuration.
In Azure, complete the following tasks:
  1. 1Create a service principal.
  2. 2Create a cluster role.
  3. 3Add a role assignment to assign the cluster role to the service principal.
  4. 4Store the service principal credentials in a key vault.
  5. 5Add an access policy to the key vault.

Create a service principal

Create a service principal named cluster_principal.
For instructions about creating a service principal, refer to the Microsoft Azure documentation.

Create a cluster role

Create a cluster role to define the permissions for the service principal cluster_principal.
Create a custom role named cluster_role with the following role definition:
{
"properties":{
"roleName":"cluster_role",
"description":"",
"assignableScopes":[
"/subscriptions/<subscription ID>/resourceGroups/<cluster_resource_group>",
"/subscriptions/<subscription ID>/resourceGroups/<storage_resource_group>",
"/subscriptions/<subscription ID>/resourceGroups/<vnet_resource_group>",
"/subscriptions/<subscription ID>/resourceGroups/<managed_identity_resource_group>"
],
"permissions":[
{
"actions":[
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/delete/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
],
"notActions":[],
"dataActions":[],
"notDataActions":[]
}
]
}
}
The following table describes the permissions:
Permission
Description
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/networkSecurityGroups/join/action
Required. Used by the Secure Agent to discover cluster resources.
Microsoft.Network/virtualNetworks/subnets/join/action
Required. Used by the Secure Agent to discover cluster resources.
If you use an existing VNet, the scope for this permission must include the resource group that holds the VNet.
Microsoft.Network/virtualNetworks/subnets/read
Required if you use an existing VNet. The scope for this permission must include the resource group that holds the VNet.
Microsoft.Network/virtualNetworks/subnets/write
Required. Used to create and update a subnet.
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/instanceView/read
Required. Used by the Secure Agent to discover master and worker nodes running in Azure.
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Network/networkSecurityGroups/join/action
Required when the cluster auto-scales to add a worker node to the cluster.
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
Microsoft.Compute/disks/delete
Required when storage auto-scales.
These permissions manage disks on Azure.
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write
Required when the storage and cluster auto-scales.
These permissions attach Azure disks to worker nodes.
Microsoft.Network/virtualNetworks/subnets/join/action
Required when the storage and cluster auto-scale.
Microsoft.Network/networkSecurityGroups/join/action
Required when the storage and cluster auto-scale.
The Secure Agent uses this permission to update the metadata attached to master and worker nodes.
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Required when you use managed identity authentication to connect to a source or target. The service principal uses this permission to assign managed identities to virtual machines in the virtual machine scale sets.

Add a role assignment

Add a role assignment to assign the custom role cluster_role to the service principal cluster_principal.

Store the credentials in a key vault

Create a new key vault and generate a secret to store the credentials for the service principal cluster_principal.

Add an access policy to the key vault

Add an access policy to the key vault that allows the managed identity agent_identity to access the credentials for the service principal cluster_principal.
  1. 1Add an access policy to the key vault.
  2. 2In the access policy, select the secret that you generated for the service principal cluster_principal.
  3. 3Grant the secret permission to the managed identity agent_identity.