The content of this page hasn't been updated for years and might refer to discontinued products and projects.

Pipeline

/ Secret management / Cloud credentials / PKE authentication (Azure)

PKE authentication (Azure)

Banzai Cloud Pipeline requires the following authentication parameters for managing PKE clusters on Azure:

AZURE SUBSCRIPTION ID: A 32-character hexadecimal dash-separated string.
AZURE TENANT ID: A 32-character hexadecimal dash-separated string.
AZURE CLIENT ID: A 32-character hexadecimal dash-separated string.
AZURE CLIENT SECRET: A password generated by you.

The instructions below describe how to obtain these.

Install the Azure CLI 🔗︎

The Azure CLI is the easiest and fastest way to prepare credentials for managing PKE clusters on Azure. Install the Azure CLI by running the following command:

curl -L https://aka.ms/InstallAzureCli | bash
exec -l $SHELL
az login

Follow the instructions to authenticate. After the login and authentication process is complete, you will receive account information including your id—which is your subscription ID—and tenantId.

Note: You can query your subscription and tenant ID at any time by using the following commands:
az account show --query id # subscription ID
az account show --query tenantId # tenant ID

Create admin role 🔗︎

This list allows you to try all features of Banzai Cloud Pipeline. Banzai Cloud offers a more granular list of permissions for its customers that consists of the permissions that are required for the features the customer decides to use.

Create an Azure role that contains all the rights necessary to manage a PKE cluster on Azure.

Save the following role definition to a JSON file (e.g. pkeadminrole.json):

{
  "Name": "PKE Admin",
  "Description": "Perform PKE cluster create/read/update/delete actions",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Billing/*",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
  ]
}

Replace {subscriptionId} with your subscription ID and {resourceGroupName} with your resource group’s name.

Create the role using:

az role definition create --verbose --role-definition @pkeadminrole.json

Create service principal 🔗︎

Create a service principal and assign it to the previously created role by using the following command:

az ad sp create-for-rbac --name "http://PKEAdminSP" --role "PKE Admin" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}

This will print information about the created service principal, including appId and password.

Authentication parameter mapping:

AZ output field	Authentication parameter
appId	AZURE CLIENT ID
password	AZURE CLIENT SECRET
`az account show --query tenantId`	AZURE TENANT ID
`az account show --query id`	AZURE SUBSCRIPTION ID

Note: If creating a custom role is not an option then the required access rights must be assigned directly to the service principal using Azure’s built-in roles.

CAUTION:

While this is an option, we do not recommend it as the Azure built-in roles used below provide wider access rights within the scope of the subscription than needed:

az ad sp create-for-rbac --name "PKEAdminSP" --skip-assignment
az role assignment create --role "User Access Administrator" --assignee "http://PKEAdminSP" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
az role assignment create --role "Owner" --assignee "http://PKEAdminSP" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}

Register required services 🔗︎

PKE requires the following services to be pre-registered:

Microsoft.Compute
Microsoft.Network
Microsoft.Storage

Previously registered services can be listed by running the following command:

az provider list --query "[?registrationState=='Registered'].{Provider:namespace, Status:registrationState}" --out table

To register the required services execute:

az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.Storage

It may take some time for these service registrations to propagate through the necessary zones and datacenters.

You can check the status of each individual service with the command:

az provider show -n {{service provider name}} -o table

(e.g.: az provider show -n Microsoft.Compute -o table)

Troubleshooting 🔗︎

When your service principal’s credential has expired an error message like the following will appear:

authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 ...

The solution is to reset the credential of the service principal with the following command:

az ad sp credential reset --name "PKEAdminSP"

This will print your new service principal information, including the new password. You have to update the Pipeline secret with this new password.

You could get the same error message when the service principal’s assigned role has changed and it does not have the required permissions anymore. In this case, you should check whether the service principal still has the necessary permissions either through its roles or directly assigned.