This documentation is for the most recent version of Anthos clusters on Azure, released in November 2021. See the Release notes for more information.

Create Azure role assignments

In this section, you grant permissions to Anthos clusters on Azure to access Azure APIs.

To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application.

APPLICATION_ID=$(az ad app list --all \
    --query "[?displayName=='APPLICATION_NAME'].appId" \
    --output tsv)
SERVICE_PRINCIPAL_ID=$(az ad sp list --all  --output tsv \
      --query "[?appId=='$APPLICATION_ID'].id")
SUBSCRIPTION_ID=$(az account show --query "id" --output tsv)

Assign permissions to the service principal. You can assign permissions scoped to your Azure subscription or to a resource group.

Subscription

Assign the Contributor, User Access Administrator, and Key Vault Administrator roles to your subscription:

az role assignment create \
    --role "Contributor" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

az role assignment create \
    --role "User Access Administrator" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

az role assignment create \
    --role "Key Vault Administrator" \
    --assignee "${SERVICE_PRINCIPAL_ID}" \
    --scope "/subscriptions/${SUBSCRIPTION_ID}"

Resource group

  1. Create Role assignments scoped to the cluster resource group. Replace CLUSTER_RESOURCE_GROUP_NAME with the name of the resource group for your Anthos clusters on Azure.

    az role assignment create \
  --role "Contributor" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "User Access Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "Key Vault Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/CLUSTER_RESOURCE_GROUP_NAME"

  2. If your Azure Virtual Network is in a different resource group, create Role assignments scoped to the virtual network resource group. 

    az role assignment create \
  --role "Virtual Machine Contributor" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_NAME"

az role assignment create \
  --role "User Access Administrator" \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_NAME"

    Replace the following:

    • VNET_RESOURCE_GROUP_NAME: the name for the resource group for your Anthos clusters on Azure VNet

What's next