Banzai Cloud Pipeline requires the following authentication parameters when managing AKS clusters:
- AZURE SUBSCRIPTION ID: A 32-character hexadecimal dash-separated string.
- AZURE TENANT ID: A 32-character hexadecimal dash-separated string.
- AZURE CLIENT ID: A 32-character hexadecimal dash-separated string.
- AZURE CLIENT SECRET: A password generated by you.
The instructions below describe how to obtain these.
Enable AKS service π︎
Log in to Microsot Azure Portal and ensure that Microsot’s AKS service is enabled for your subscription.
Install the Azure CLI π︎
The Azure CLI is the easiest and fastest way to prepare credentials for managing AKS clusters. Install the Azure CLI by running the following command:
curl -L https://aka.ms/InstallAzureCli | bash
exec -l $SHELL
az login
Follow the instructions to authenticate. After the login and authentication process is complete, you will receive account information including your id
βwhich is your subscription IDβand tenantId
.
Note: You can query your subscription and tenant ID at any time by using the following commands:
az account show --query id # subscription ID az account show --query tenantId # tenant ID
Create admin role π︎
This list allows you to try all features of Banzai Cloud Pipeline. Banzai Cloud offers a more granular list of permissions for its customers that consists of the permissions that are required for the features the customer decides to use.
Create an Azure role that contains all the rights necessary to manage an AKS cluster.
Save the following role definition to a JSON file (e.g. aksadminrole.json):
{
"Name": "AKS Admin",
"Description": "Perform AKS cluster create/read/update/delete actions",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Billing/*",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}
Replace {subscriptionId}
with your subscription ID.
Create the role using:
az role definition create --verbose --role-definition @aksadminrole.json
Create service principal π︎
Create a service principal and assign it to the previously created role by using the following command:
az ad sp create-for-rbac --name "AKSAdminSP" --role "AKS Admin"
This will print information about the created service principal, including appId
and password
.
Authentication parameter mapping:
AZ output field | Authentication parameter |
---|---|
appId | AZURE CLIENT ID |
password | AZURE CLIENT SECRET |
az account show --query tenantId |
AZURE TENANT ID |
az account show --query id |
AZURE SUBSCRIPTION ID |
Note: If creating a custom role is not an option then the required access rights must be assigned directly to the service principal using Azure’s built-in roles.
CAUTION:
While this is an option, we do not recommend it as the Azure built-in roles used below provide wider access rights within the scope of the subscription than needed:
az ad sp create-for-rbac --name "AKSAdminSP" --skip-assignment
az role assignment create --role "User Access Administrator" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxx
az role assignment create --role "Owner" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxx
Register required services π︎
AKS requires the following services to be pre-registered:
Microsoft.Compute
Microsoft.ContainerService
Microsoft.Network
Microsoft.Storage
Previously registered services can be listed by running the following command:
az provider list --query "[?registrationState=='Registered'].{Provider:namespace, Status:registrationState}" --out table
To register the required services execute:
az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.Storage
It may take some time for these service registrations to propagate through the necessary zones and datacenters.
You can check the status of each individual service with the command:
az provider show -n {{service provider name}} -o table
(e.g.: az provider show -n Microsoft.ContainerService -o table
)
Troubleshooting π︎
When your service principal’s credential has expired an error message like the following will appear:
authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 ...
The solution is to reset the credential of the service principal with the following command:
az ad sp credential reset --name "AKSAdminSP"
This will print your new service principal information, including the new password
.
You have to update the Pipeline secret with this new password
.
You could get the same error message when the service principal’s assigned role has changed and it does not have the required permissions anymore. In this case, you should check whether the service principal still has the necessary permissions either through its roles or directly assigned.