Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to create a service principal using the Azure CLI or Azure portal. You can use the service principal when you deploy a Microsoft Azure Red Hat OpenShift cluster. A new cluster deployment also creates a service principal.
To interact with Azure APIs, a Microsoft Azure Red Hat OpenShift cluster requires a Microsoft Entra service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry. For more information, see Application and service principal objects in Microsoft Entra ID.
Service principals expire in one year unless configured for longer periods. For information about how to extend your service principal expiration period, see Rotate service principal credentials for your Azure Red Hat OpenShift cluster.
Create a service principal
The following sections explain how to create a service principal to deploy an Azure Red Hat OpenShift cluster.
Prerequisites
If you're using the Azure CLI, you need Azure CLI version 2.30.0 or later installed and configured. To find the version, run az --version. If you need to install or upgrade, see Install Azure CLI.
Create a resource group
To create a resource group for your Azure Red Hat OpenShift cluster, run the following Azure CLI command. The resource group name is stored in the AZ_RG variable.
AZ_RG=$(az group create --name test-aro-rg --___location eastus2 --query name --output tsv)
Create a service principal and assign role-based access control
Service principals must be unique per Azure RedHat OpenShift cluster. The following commands create the AZ_SUB_ID variable to store your Azure subscription ID and assign the Contributor role and scope the service principal to the Azure Red Hat OpenShift resource group.
AZ_SUB_ID=$(az account show --query id --output tsv)
az ad sp create-for-rbac --name "test-aro-sp" --role Contributor --scopes "/subscriptions/${AZ_SUB_ID}/resourceGroups/${AZ_RG}"
The output is similar to the following example:
{
"appId": "55556666-ffff-7777-aaaa-8888bbbb9999",
"displayName": "test-aro-sp",
"password": "Gg7Hh~8Ii9.-Jj0Kk1Ll2Mm3Nn4Oo5_Pp6Qq7Rr8",
"tenant": "bbbbcccc-1111-dddd-2222-eeee3333ffff"
}
Make note of this information and store it in a safe place. The password value is only displayed once. For more information about the command, see az ad sp create-for-rbac.
Important
This service principal only allows a Contributor over the resource group that contains the Azure Red Hat OpenShift cluster. If your virtual network is in another resource group, you need to assign the service principal Contributor role to that resource group. You also need to create your Azure Red Hat OpenShift cluster in the resource group you created for the service principal.
To grant permissions to an existing service principal with the Azure portal, see Create a Microsoft Entra app and service principal in the portal.
Create a service principal with the Azure portal
To create a service principal for your Azure Red Hat OpenShift cluster via the Azure portal, see Register a Microsoft Entra app and create a service principal. Be sure to save the Application (client) ID and the secret and store it in a safe place. The secret value is only shown once.
The Contributor role is listed in the Privileged administrator roles when you add the role assignment from the portal.
Clean up resources
You can delete the app registration and service principal from Microsoft Entra ID if you don't need it.
The following commands get the application ID and delete the app registration and service principal.
APP_ID=$(az ad app list --display-name test-aro-sp --query [].appId --output tsv)
az ad app delete --id $APP_ID
Go to Microsoft Entra ID > App registrations > Owned applications. Enter the display name test-aro-sp, select the name, and select Delete.
To permanently delete the app registration, go to Deleted applications, search for the app's name, select the check box for the app, and select Delete permanently.
Related content
For more information about how to create a service principal in Azure CLI and assign roles, see Create an Azure service principal with Azure CLI and Assign Azure roles using Azure CLI.