Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Creazione di assegnazioni di ruoli Azure
Questa pagina mostra come concedere le autorizzazioni a GKE su Azure in modo che possa accedere alle API di Azure. Devi eseguire questi passaggi quando configuri un nuovo cluster GKE su Azure o quando aggiorni le autorizzazioni per un cluster esistente.
Queste autorizzazioni sono necessarie per consentire a GKE su Azure di gestire le risorse Azure per tuo conto, ad esempio macchine virtuali, componenti di rete e archiviazione.
Ottieni gli ID entità servizio e abbonamento
Per concedere le autorizzazioni a GKE su Azure, devi ottenere l'entità servizio e l'ID abbonamento Azure. L'entità servizio Azure e l'ID abbonamento
sono associati all'applicazione Azure AD che hai creato per GKE su Azure.
Per maggiori dettagli, consulta
Creare un'applicazione Azure Active Directory.
Un'entità del servizio è un'identità in Azure Active Directory (AD) che viene utilizzata per autenticarsi in Azure e accedere alle relative risorse. Un abbonamento Azure è un
contenuto logico che ti fornisce l'accesso autorizzato ai prodotti
e ai servizi Azure. Un ID abbonamento è un identificatore univoco associato al tuo abbonamento Azure.
Per salvare gli ID principale del servizio e dell'abbonamento come riferimento rapido, puoi memorizzarli nelle variabili di shell. Per creare queste variabili di shell, esegui il
comando seguente:
Sostituisci APPLICATION_NAME con il nome
della tua applicazione Azure AD.
Crea tre ruoli personalizzati
Per concedere a GKE su Azure le autorizzazioni per gestire le risorse Azure, devi creare tre ruoli personalizzati e assegnarli all'entità del servizio. Nelle istruzioni riportate di seguito vengono aggiunte solo le autorizzazioni minime. Se necessario, puoi aggiungere altre autorizzazioni.
Devi creare ruoli personalizzati per i seguenti tipi di accesso:
Accesso a livello di abbonamento: autorizzazioni che si applicano all'intero abbonamento Azure, consentendo la gestione di tutte le risorse Azure all'interno dell'abbonamento.
Accesso a livello di gruppo di risorse del cluster: autorizzazioni specifiche per la gestione delle risorse Azure all'interno di un determinato gruppo di risorse contenente i cluster GKE su Azure.
Accesso a livello di gruppo di risorse della rete virtuale: autorizzazioni specifiche per la gestione delle risorse Azure all'interno di un gruppo di risorse che contiene le risorse di rete virtuale di Azure.
Creare un ruolo per l'accesso a livello di abbonamento
Crea un file denominato GKEOnAzureAPISubscriptionScopedRole.json.
Apri GKEOnAzureAPISubscriptionScopedRole.json in un editor e aggiungi le seguenti autorizzazioni:
{"Name":"GKE on-Azure API Subscription Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in subscription scope.","Actions":["Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/delete","Microsoft.Authorization/roleDefinitions/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
Assegna il ruolo all'entità servizio utilizzando il seguente comando:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Subscription Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}
Creare un ruolo per l'accesso a livello di gruppo di risorse del cluster
Crea un file denominato GKEOnAzureClusterResourceGroupScopedRole.json.
Apri GKEOnAzureClusterResourceGroupScopedRole.json in un editor e aggiungi
le seguenti autorizzazioni:
{"Name":"GKE on-Azure API Cluster Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in cluster resource group scope.","Actions":["Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete","Microsoft.ManagedIdentity/userAssignedIdentities/write","Microsoft.ManagedIdentity/userAssignedIdentities/read","Microsoft.ManagedIdentity/userAssignedIdentities/delete","Microsoft.Network/applicationSecurityGroups/write","Microsoft.Network/applicationSecurityGroups/read","Microsoft.Network/applicationSecurityGroups/delete","Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/delete","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/delete","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.KeyVault/vaults/write","Microsoft.KeyVault/vaults/read","Microsoft.KeyVault/vaults/delete","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/disks/delete","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/delete","Microsoft.Network/networkInterfaces/join/action","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/delete","Microsoft.Compute/virtualMachineScaleSets/write","Microsoft.Compute/virtualMachineScaleSets/read","Microsoft.Compute/virtualMachineScaleSets/delete","Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","Microsoft.Insights/Metrics/Read"],"NotActions":[],"DataActions":["Microsoft.KeyVault/vaults/keys/create/action","Microsoft.KeyVault/vaults/keys/delete","Microsoft.KeyVault/vaults/keys/read","Microsoft.KeyVault/vaults/keys/encrypt/action"],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}```
Assegna il ruolo all'entità servizio utilizzando il seguente comando:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Cluster Resource Group Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
Creare un ruolo per l'accesso a livello di gruppo di risorse della rete virtuale
Crea un file denominato GKEOnAzureAPIVNetResourceGroupScopedRole.json.
Apri GKEOnAzureAPIVNetResourceGroupScopedRole.json in un editor e aggiungi
le seguenti autorizzazioni:
{"Name":"GKE on-Azure API VNet Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in virtual network resource group scope.","Actions":["Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-07-31 UTC."],[],[],null,["# Create Azure role assignments\n=============================\n\nThis page shows how you grant permissions to GKE on Azure so that it can\naccess Azure APIs. You need to perform these steps when setting up a new\nGKE on Azure cluster or when updating permissions for an existing cluster.\nThese permissions are necessary for GKE on Azure to manage Azure resources\non your behalf, such as virtual machines, networking components, and storage.\n\nObtain service principal and subscription IDs\n---------------------------------------------\n\nTo grant permissions to GKE on Azure, you need to obtain your Azure service\nprincipal and subscription ID. The Azure service principal and subscription ID\nare associated with the Azure AD application you created for GKE on Azure.\nFor details, see\n[Create an Azure Active Directory application](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n\nA service principal is an identity in Azure Active Directory (AD) that is used\nto authenticate to Azure and access its resources. An Azure subscription is a\nlogical container that provides you with authorized access to Azure products\nand services. A subscription ID is a unique identifier associated with your\nAzure subscription.\n\nTo save your service principal and subscription IDs for quick reference, you can\nstore them in shell variables. To create these shell variables, run the\nfollowing command: \n\n APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" \\\n --output tsv)\n SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \\\n --query \"[?appId=='$APPLICATION_ID'].id\")\n SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n\nReplace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the name\nof your Azure AD application.\n\nCreate three custom roles\n-------------------------\n\nTo grant GKE on Azure the permissions to manage your Azure resources, you\nneed to create three custom roles and assign them to the service principal. Only\nthe minimum permissions are added in the following instructions. You can add\nmore permissions if you need to.\n\nYou need to create custom roles for the following types of access:\n\n- **Subscription-level access**: Permissions that apply to the entire Azure subscription, allowing management of all Azure resources within that subscription.\n- **Cluster resource group-level access**: Permissions specific to managing Azure resources within a particular resource group that contains your GKE on Azure clusters.\n- **Virtual network resource group-level access**: Permissions specific to managing Azure resources within a resource group that contains your Azure virtual network resources.\n\n### Create role for subscription-level access\n\n1. Create a file named `GKEOnAzureAPISubscriptionScopedRole.json`.\n\n2. Open `GKEOnAzureAPISubscriptionScopedRole.json` in an editor and add the\n following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Subscription Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in subscription scope.\",\n \"Actions\": [\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Authorization/roleDefinitions/read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPISubscriptionScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}\n\n### Create role for cluster resource group-level access\n\n1. Create a file named `GKEOnAzureClusterResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureClusterResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Cluster Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in cluster resource group scope.\",\n \"Actions\": [\n \"Microsoft.Resources/subscriptions/resourcegroups/read\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/write\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/read\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/delete\",\n \"Microsoft.Network/applicationSecurityGroups/write\",\n \"Microsoft.Network/applicationSecurityGroups/read\",\n \"Microsoft.Network/applicationSecurityGroups/delete\",\n \"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Network/loadBalancers/write\",\n \"Microsoft.Network/loadBalancers/read\",\n \"Microsoft.Network/loadBalancers/delete\",\n \"Microsoft.Network/loadBalancers/backendAddressPools/join/action\",\n \"Microsoft.Network/networkSecurityGroups/write\",\n \"Microsoft.Network/networkSecurityGroups/read\",\n \"Microsoft.Network/networkSecurityGroups/delete\",\n \"Microsoft.Network/networkSecurityGroups/join/action\",\n \"Microsoft.KeyVault/vaults/write\",\n \"Microsoft.KeyVault/vaults/read\",\n \"Microsoft.KeyVault/vaults/delete\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/disks/write\",\n \"Microsoft.Compute/disks/delete\",\n \"Microsoft.Network/networkInterfaces/read\",\n \"Microsoft.Network/networkInterfaces/write\",\n \"Microsoft.Network/networkInterfaces/delete\",\n \"Microsoft.Network/networkInterfaces/join/action\",\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/write\",\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachineScaleSets/write\",\n \"Microsoft.Compute/virtualMachineScaleSets/read\",\n \"Microsoft.Compute/virtualMachineScaleSets/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\",\n \"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\",\n \"Microsoft.Insights/Metrics/Read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [\n \"Microsoft.KeyVault/vaults/keys/create/action\",\n \"Microsoft.KeyVault/vaults/keys/delete\",\n \"Microsoft.KeyVault/vaults/keys/read\",\n \"Microsoft.KeyVault/vaults/keys/encrypt/action\"\n ],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n ```\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureClusterResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Cluster Resource Group Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}\n\n### Create role for virtual network resource group-level access\n\n1. Create a file named `GKEOnAzureAPIVNetResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureAPIVNetResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API VNet Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in virtual network resource group scope.\",\n \"Actions\": [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/virtualNetworks/subnets/read\",\n \"Microsoft.Network/virtualNetworks/subnets/join/action\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPIVNetResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID\"\n\nWhat's next\n-----------\n\n- [Create a client certificate](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-client)"]]
