All you need to do is delegate access to the required Azure resources to the service principal. Simply create a role assignment using
az role assignment create to do the following:
- specify the particular scope, such as a resource group
- then assign a role that defines what permissions the service principal has on the resource
It looks something like this:
az role assignment create --assignee $AKS_SERVICE_PRINCIPAL_APPID --scope $ACR_RESOURCE_ID --role $SERVICE_ROLE
Notice that the
--assigneehere is nothing but the service principal and you're going to need it.
When you create an AKS cluster in the Azure portal or using the
az aks create command from the Azure CLI, Azure can automatically generate a service principal. Alternatively, you can create one your self using
az ad sp create-for-rbac --skip-assignment and then use the service principal
--client-secret (password) parameters in the
az aks create command.
You can use a handy little query in the
az aks show command to locate the service principal quickly!
az aks show --name $AKS_CLUSTER_NAME --resource-group $AKS_CLUSTER_RESOURCE_GROUP --query servicePrincipalProfile.clientId -o tsv
This will the service principal
appId! You can use it to grant permissions. For e.g. if you want to allow AKS to work with ACR, you can grant the
az role assignment create --assignee $AKS_SERVICE_PRINCIPAL_APPID --scope $ACR_RESOURCE_ID --role acrpull
az aks createto create an AKS cluster
az role assignment createto assign service specific roles to a service principal
az aks showto get info about your AKS cluster
If you found this article helpful, please like and follow! Happy to get feedback via @abhi_tweeter or just drop a comment :-)
Posted on by: