Esta documentación es para la versión más reciente de GKE en Azure, que se lanzó en noviembre de 2021. Consulta las notas de la versión para obtener más información.
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
Crea asignaciones de funciones de Azure
En esta página, se muestra cómo otorgar permisos a GKE en Azure para que pueda acceder a las APIs de Azure. Debes realizar estos pasos cuando configures un clúster de GKE en Azure nuevo o cuando actualices los permisos de un clúster existente.
Estos permisos son necesarios para que GKE en Azure administre recursos de Azure en tu nombre, como máquinas virtuales, componentes de red y almacenamiento.
Obtén los IDs del principal de servicio y de la suscripción
Para otorgar permisos a GKE en Azure, debes obtener el principal de servicio
y el ID de suscripción de Azure. El principal de servicio y el ID de suscripción de Azure están asociados con la aplicación de Azure AD que creaste para GKE en Azure.
Para obtener más información, consulta Crea una aplicación de Azure Active Directory.
Un principal de servicio es una identidad en Azure Active Directory (AD) que se usa
para autenticarse en Azure y acceder a sus recursos. Una suscripción a Azure es un contenedor lógico que te proporciona acceso autorizado a los productos y servicios de Azure. Un ID de suscripción es un identificador único asociado con tu suscripción a Azure.
Para guardar los IDs de suscripción y principal de servicio como referencia rápida, puedes almacenarlos en variables de shell. Para crear estas variables de shell, ejecuta el siguiente comando:
Reemplaza APPLICATION_NAME por el nombre de tu aplicación de Azure AD.
Crea tres roles personalizados
Para otorgar a GKE en Azure los permisos para administrar tus recursos de Azure, debes
crear tres roles personalizados y asignarlos al principal de servicio. En las siguientes instrucciones, solo se agregan los permisos mínimos. Si lo necesitas, puedes agregar más permisos.
Debes crear roles personalizados para los siguientes tipos de acceso:
Acceso a nivel de la suscripción: Son permisos que se aplican a toda la suscripción de Azure y que permiten administrar todos los recursos de Azure dentro de esa suscripción.
Acceso a nivel del grupo de recursos del clúster: Son permisos específicos para administrar recursos de Azure dentro de un grupo de recursos en particular que contiene tus clústeres de GKE en Azure.
Acceso a nivel del grupo de recursos de red virtual: Son permisos específicos para administrar recursos de Azure dentro de un grupo de recursos que contiene los recursos de tu red virtual de Azure.
Crea un rol para el acceso a nivel de la suscripción
Crea un archivo llamado GKEOnAzureAPISubscriptionScopedRole.json.
Abre GKEOnAzureAPISubscriptionScopedRole.json en un editor y agrega los siguientes permisos:
{"Name":"GKE on-Azure API Subscription Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in subscription scope.","Actions":["Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/delete","Microsoft.Authorization/roleDefinitions/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
Asigna el rol al principal de servicio con el siguiente comando:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Subscription Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}
Crea un rol para el acceso a nivel del grupo de recursos del clúster
Crea un archivo llamado GKEOnAzureClusterResourceGroupScopedRole.json.
Abre GKEOnAzureClusterResourceGroupScopedRole.json en un editor y agrega los siguientes permisos:
{"Name":"GKE on-Azure API Cluster Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in cluster resource group scope.","Actions":["Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete","Microsoft.ManagedIdentity/userAssignedIdentities/write","Microsoft.ManagedIdentity/userAssignedIdentities/read","Microsoft.ManagedIdentity/userAssignedIdentities/delete","Microsoft.Network/applicationSecurityGroups/write","Microsoft.Network/applicationSecurityGroups/read","Microsoft.Network/applicationSecurityGroups/delete","Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/delete","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/delete","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.KeyVault/vaults/write","Microsoft.KeyVault/vaults/read","Microsoft.KeyVault/vaults/delete","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/disks/delete","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/delete","Microsoft.Network/networkInterfaces/join/action","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/delete","Microsoft.Compute/virtualMachineScaleSets/write","Microsoft.Compute/virtualMachineScaleSets/read","Microsoft.Compute/virtualMachineScaleSets/delete","Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","Microsoft.Insights/Metrics/Read"],"NotActions":[],"DataActions":["Microsoft.KeyVault/vaults/keys/create/action","Microsoft.KeyVault/vaults/keys/delete","Microsoft.KeyVault/vaults/keys/read","Microsoft.KeyVault/vaults/keys/encrypt/action"],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}```
Asigna el rol al principal de servicio con el siguiente comando:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Cluster Resource Group Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
Crea un rol para el acceso a nivel del grupo de recursos de red virtual
Crea un archivo llamado GKEOnAzureAPIVNetResourceGroupScopedRole.json.
Abre GKEOnAzureAPIVNetResourceGroupScopedRole.json en un editor y agrega los siguientes permisos:
{"Name":"GKE on-Azure API VNet Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in virtual network resource group scope.","Actions":["Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-07-31 (UTC)"],[],[],null,["# Create Azure role assignments\n=============================\n\nThis page shows how you grant permissions to GKE on Azure so that it can\naccess Azure APIs. You need to perform these steps when setting up a new\nGKE on Azure cluster or when updating permissions for an existing cluster.\nThese permissions are necessary for GKE on Azure to manage Azure resources\non your behalf, such as virtual machines, networking components, and storage.\n\nObtain service principal and subscription IDs\n---------------------------------------------\n\nTo grant permissions to GKE on Azure, you need to obtain your Azure service\nprincipal and subscription ID. The Azure service principal and subscription ID\nare associated with the Azure AD application you created for GKE on Azure.\nFor details, see\n[Create an Azure Active Directory application](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n\nA service principal is an identity in Azure Active Directory (AD) that is used\nto authenticate to Azure and access its resources. An Azure subscription is a\nlogical container that provides you with authorized access to Azure products\nand services. A subscription ID is a unique identifier associated with your\nAzure subscription.\n\nTo save your service principal and subscription IDs for quick reference, you can\nstore them in shell variables. To create these shell variables, run the\nfollowing command: \n\n APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" \\\n --output tsv)\n SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \\\n --query \"[?appId=='$APPLICATION_ID'].id\")\n SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n\nReplace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the name\nof your Azure AD application.\n\nCreate three custom roles\n-------------------------\n\nTo grant GKE on Azure the permissions to manage your Azure resources, you\nneed to create three custom roles and assign them to the service principal. Only\nthe minimum permissions are added in the following instructions. You can add\nmore permissions if you need to.\n\nYou need to create custom roles for the following types of access:\n\n- **Subscription-level access**: Permissions that apply to the entire Azure subscription, allowing management of all Azure resources within that subscription.\n- **Cluster resource group-level access**: Permissions specific to managing Azure resources within a particular resource group that contains your GKE on Azure clusters.\n- **Virtual network resource group-level access**: Permissions specific to managing Azure resources within a resource group that contains your Azure virtual network resources.\n\n### Create role for subscription-level access\n\n1. Create a file named `GKEOnAzureAPISubscriptionScopedRole.json`.\n\n2. Open `GKEOnAzureAPISubscriptionScopedRole.json` in an editor and add the\n following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Subscription Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in subscription scope.\",\n \"Actions\": [\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Authorization/roleDefinitions/read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPISubscriptionScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}\n\n### Create role for cluster resource group-level access\n\n1. Create a file named `GKEOnAzureClusterResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureClusterResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Cluster Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in cluster resource group scope.\",\n \"Actions\": [\n \"Microsoft.Resources/subscriptions/resourcegroups/read\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/write\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/read\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/delete\",\n \"Microsoft.Network/applicationSecurityGroups/write\",\n \"Microsoft.Network/applicationSecurityGroups/read\",\n \"Microsoft.Network/applicationSecurityGroups/delete\",\n \"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Network/loadBalancers/write\",\n \"Microsoft.Network/loadBalancers/read\",\n \"Microsoft.Network/loadBalancers/delete\",\n \"Microsoft.Network/loadBalancers/backendAddressPools/join/action\",\n \"Microsoft.Network/networkSecurityGroups/write\",\n \"Microsoft.Network/networkSecurityGroups/read\",\n \"Microsoft.Network/networkSecurityGroups/delete\",\n \"Microsoft.Network/networkSecurityGroups/join/action\",\n \"Microsoft.KeyVault/vaults/write\",\n \"Microsoft.KeyVault/vaults/read\",\n \"Microsoft.KeyVault/vaults/delete\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/disks/write\",\n \"Microsoft.Compute/disks/delete\",\n \"Microsoft.Network/networkInterfaces/read\",\n \"Microsoft.Network/networkInterfaces/write\",\n \"Microsoft.Network/networkInterfaces/delete\",\n \"Microsoft.Network/networkInterfaces/join/action\",\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/write\",\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachineScaleSets/write\",\n \"Microsoft.Compute/virtualMachineScaleSets/read\",\n \"Microsoft.Compute/virtualMachineScaleSets/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\",\n \"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\",\n \"Microsoft.Insights/Metrics/Read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [\n \"Microsoft.KeyVault/vaults/keys/create/action\",\n \"Microsoft.KeyVault/vaults/keys/delete\",\n \"Microsoft.KeyVault/vaults/keys/read\",\n \"Microsoft.KeyVault/vaults/keys/encrypt/action\"\n ],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n ```\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureClusterResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Cluster Resource Group Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}\n\n### Create role for virtual network resource group-level access\n\n1. Create a file named `GKEOnAzureAPIVNetResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureAPIVNetResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API VNet Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in virtual network resource group scope.\",\n \"Actions\": [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/virtualNetworks/subnets/read\",\n \"Microsoft.Network/virtualNetworks/subnets/join/action\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPIVNetResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID\"\n\nWhat's next\n-----------\n\n- [Create a client certificate](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-client)"]]
