Create Azure role assignments

In this section, you grant permissions to GKE on Azure to access Azure APIs.

To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application.

APPLICATION_ID=$(az ad app list --all \
    --query "[?displayName=='APPLICATION_NAME'].appId" \
    --output tsv)
SERVICE_PRINCIPAL_ID=$(az ad sp list --all  --output tsv \
      --query "[?appId=='$APPLICATION_ID'].id")
SUBSCRIPTION_ID=$(az account show --query "id" --output tsv)

Assign permissions to the service principal. GKE on Azure requires permissions to provision required roles for the managed Azure resources at the subscription level.

To create a custom role with required subscription scoped permissions:

  1. Create a new file named RoleAssignmentCreator.json.

  2. Open RoleAssignmentCreator.json in an editor and add the following permissions:

    {
    "Name": "Role Assignment Creator",
    "IsCustom": true,
    "Description": "Can create Azure role assignments.",
    "Actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/roleDefinitions/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"]
}

  3. Create the new custom role with the following command:

    az role definition create --role-definition "~/CustomRoles/RoleAssignmentCreator.json"

  4. Assign the role to the service principal using the following command:

    az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "Role Assignment Creator" --scope /subscriptions/${SUBSCRIPTION_ID}

When assigning permissions, you can scope them either at the Azure subscription level, which applies to all resources within the subscription, or at the resource group level, which limits permissions to a specific resource group.

Subscription

Assign the Contributor, User Access Administrator, and Key Vault Administrator roles to your subscription:

az role assignment create \
    --role "Contributor" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

az role assignment create \
    --role "User Access Administrator" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

az role assignment create \
    --role "Key Vault Administrator" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

Resource group

  1. Create Role assignments scoped to the cluster resource group. Replace CLUSTER_RESOURCE_GROUP_NAME with the name of the resource group for your GKE on Azure.

    az role assignment create \
  --role "Contributor" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "User Access Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "Key Vault Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

  2. If your Azure Virtual Network is in a different resource group, create Role assignments scoped to the virtual network resource group. 

    az role assignment create \
  --role "Virtual Machine Contributor" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "User Access Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_NAME"

    Replace the following:

    • VNET_RESOURCE_GROUP_NAME: the name for the resource group for your GKE on Azure VNet

What's next