このページでは、GKE on Azure が Azure API にアクセスできるように権限を付与する方法について説明します。これらの手順は、新しい GKE on Azure クラスタを設定するとき、または既存のクラスタの権限を更新するときに実行する必要があります。これらの権限は、GKE on Azure が仮想マシン、ネットワーキング コンポーネント、ストレージなどの Azure リソースをユーザーに代わって管理するために必要です。
サービス プリンシパル ID とサブスクリプション ID を取得する
GKE on Azure に権限を付与するには、Azure サービス プリンシパルとサブスクリプション ID を取得する必要があります。Azure サービス プリンシパルとサブスクリプション ID は、GKE on Azure 用に作成した Azure AD アプリケーションに関連付けられています。詳細については、Azure Active Directory アプリケーションを作成するをご覧ください。
サービス プリンシパルは、Azure に対して認証を行い、そのリソースにアクセスするために使用される Azure Active Directory(AD)の ID です。Azure サブスクリプションは、Azure のプロダクトとサービスへの承認済みアクセスを提供する論理コンテナです。サブスクリプション ID は、Azure サブスクリプションに関連付けられた固有識別子です。
サービス プリンシパルとサブスクリプション ID をすぐに参照できるように保存するには、シェル変数に保存します。こうしたシェル変数を作成するには、次のコマンドを実行します。
{"Name":"GKE on-Azure API Subscription Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in subscription scope.","Actions":["Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/delete","Microsoft.Authorization/roleDefinitions/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
{"Name":"GKE on-Azure API Cluster Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in cluster resource group scope.","Actions":["Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete","Microsoft.ManagedIdentity/userAssignedIdentities/write","Microsoft.ManagedIdentity/userAssignedIdentities/read","Microsoft.ManagedIdentity/userAssignedIdentities/delete","Microsoft.Network/applicationSecurityGroups/write","Microsoft.Network/applicationSecurityGroups/read","Microsoft.Network/applicationSecurityGroups/delete","Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/delete","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/delete","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.KeyVault/vaults/write","Microsoft.KeyVault/vaults/read","Microsoft.KeyVault/vaults/delete","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/disks/delete","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/delete","Microsoft.Network/networkInterfaces/join/action","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/delete","Microsoft.Compute/virtualMachineScaleSets/write","Microsoft.Compute/virtualMachineScaleSets/read","Microsoft.Compute/virtualMachineScaleSets/delete","Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","Microsoft.Insights/Metrics/Read"],"NotActions":[],"DataActions":["Microsoft.KeyVault/vaults/keys/create/action","Microsoft.KeyVault/vaults/keys/delete","Microsoft.KeyVault/vaults/keys/read","Microsoft.KeyVault/vaults/keys/encrypt/action"],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}```
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Cluster Resource Group Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
{"Name":"GKE on-Azure API VNet Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in virtual network resource group scope.","Actions":["Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-08-30 UTC。"],[],[],null,["# Create Azure role assignments\n=============================\n\nThis page shows how you grant permissions to GKE on Azure so that it can\naccess Azure APIs. You need to perform these steps when setting up a new\nGKE on Azure cluster or when updating permissions for an existing cluster.\nThese permissions are necessary for GKE on Azure to manage Azure resources\non your behalf, such as virtual machines, networking components, and storage.\n\nObtain service principal and subscription IDs\n---------------------------------------------\n\nTo grant permissions to GKE on Azure, you need to obtain your Azure service\nprincipal and subscription ID. The Azure service principal and subscription ID\nare associated with the Azure AD application you created for GKE on Azure.\nFor details, see\n[Create an Azure Active Directory application](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n\nA service principal is an identity in Azure Active Directory (AD) that is used\nto authenticate to Azure and access its resources. An Azure subscription is a\nlogical container that provides you with authorized access to Azure products\nand services. A subscription ID is a unique identifier associated with your\nAzure subscription.\n\nTo save your service principal and subscription IDs for quick reference, you can\nstore them in shell variables. To create these shell variables, run the\nfollowing command: \n\n APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" \\\n --output tsv)\n SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \\\n --query \"[?appId=='$APPLICATION_ID'].id\")\n SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n\nReplace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the name\nof your Azure AD application.\n\nCreate three custom roles\n-------------------------\n\nTo grant GKE on Azure the permissions to manage your Azure resources, you\nneed to create three custom roles and assign them to the service principal. Only\nthe minimum permissions are added in the following instructions. You can add\nmore permissions if you need to.\n\nYou need to create custom roles for the following types of access:\n\n- **Subscription-level access**: Permissions that apply to the entire Azure subscription, allowing management of all Azure resources within that subscription.\n- **Cluster resource group-level access**: Permissions specific to managing Azure resources within a particular resource group that contains your GKE on Azure clusters.\n- **Virtual network resource group-level access**: Permissions specific to managing Azure resources within a resource group that contains your Azure virtual network resources.\n\n### Create role for subscription-level access\n\n1. Create a file named `GKEOnAzureAPISubscriptionScopedRole.json`.\n\n2. Open `GKEOnAzureAPISubscriptionScopedRole.json` in an editor and add the\n following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Subscription Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in subscription scope.\",\n \"Actions\": [\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Authorization/roleDefinitions/read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPISubscriptionScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}\n\n### Create role for cluster resource group-level access\n\n1. Create a file named `GKEOnAzureClusterResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureClusterResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Cluster Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in cluster resource group scope.\",\n \"Actions\": [\n \"Microsoft.Resources/subscriptions/resourcegroups/read\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/write\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/read\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/delete\",\n \"Microsoft.Network/applicationSecurityGroups/write\",\n \"Microsoft.Network/applicationSecurityGroups/read\",\n \"Microsoft.Network/applicationSecurityGroups/delete\",\n \"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Network/loadBalancers/write\",\n \"Microsoft.Network/loadBalancers/read\",\n \"Microsoft.Network/loadBalancers/delete\",\n \"Microsoft.Network/loadBalancers/backendAddressPools/join/action\",\n \"Microsoft.Network/networkSecurityGroups/write\",\n \"Microsoft.Network/networkSecurityGroups/read\",\n \"Microsoft.Network/networkSecurityGroups/delete\",\n \"Microsoft.Network/networkSecurityGroups/join/action\",\n \"Microsoft.KeyVault/vaults/write\",\n \"Microsoft.KeyVault/vaults/read\",\n \"Microsoft.KeyVault/vaults/delete\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/disks/write\",\n \"Microsoft.Compute/disks/delete\",\n \"Microsoft.Network/networkInterfaces/read\",\n \"Microsoft.Network/networkInterfaces/write\",\n \"Microsoft.Network/networkInterfaces/delete\",\n \"Microsoft.Network/networkInterfaces/join/action\",\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/write\",\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachineScaleSets/write\",\n \"Microsoft.Compute/virtualMachineScaleSets/read\",\n \"Microsoft.Compute/virtualMachineScaleSets/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\",\n \"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\",\n \"Microsoft.Insights/Metrics/Read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [\n \"Microsoft.KeyVault/vaults/keys/create/action\",\n \"Microsoft.KeyVault/vaults/keys/delete\",\n \"Microsoft.KeyVault/vaults/keys/read\",\n \"Microsoft.KeyVault/vaults/keys/encrypt/action\"\n ],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n ```\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureClusterResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Cluster Resource Group Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}\n\n### Create role for virtual network resource group-level access\n\n1. Create a file named `GKEOnAzureAPIVNetResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureAPIVNetResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API VNet Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in virtual network resource group scope.\",\n \"Actions\": [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/virtualNetworks/subnets/read\",\n \"Microsoft.Network/virtualNetworks/subnets/join/action\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPIVNetResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID\"\n\nWhat's next\n-----------\n\n- [Create a client certificate](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-client)"]]
