Mit Sammlungen den Überblick behalten
Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.
Azure-Rollenzuweisungen erstellen
Auf dieser Seite erfahren Sie, wie Sie GKE on Azure Berechtigungen erteilen, damit es auf Azure APIs zugreifen kann. Sie müssen diese Schritte ausführen, wenn Sie einen neuen GKE on Azure-Cluster einrichten oder die Berechtigungen für einen vorhandenen Cluster aktualisieren.
Diese Berechtigungen sind erforderlich, damit GKE on Azure Azure-Ressourcen wie virtuelle Maschinen, Netzwerkkomponenten und Speicher in Ihrem Namen verwalten kann.
Diensthaupt- und Abo-IDs abrufen
Wenn Sie GKE on Azure Berechtigungen erteilen möchten, müssen Sie Ihr Azure-Diensthauptkonto und die Abo-ID abrufen. Das Azure-Diensthauptkonto und die Abo-ID sind mit der Azure AD-Anwendung verknüpft, die Sie für GKE in Azure erstellt haben.
Weitere Informationen finden Sie unter Azure Active Directory-Anwendung erstellen.
Ein Dienstprinzipal ist eine Identität in Azure Active Directory (AD), die zur Authentifizierung bei Azure und zum Zugriff auf die Ressourcen von Azure verwendet wird. Ein Azure-Abo ist ein logischer Container, der Ihnen autorisierten Zugriff auf Azure-Produkte und ‑Dienste bietet. Eine Abo-ID ist eine eindeutige Kennung, die mit Ihrem Azure-Abo verknüpft ist.
Sie können die Diensthauptkonto- und Abo-IDs zur schnellen Referenz in Shell-Variablen speichern. Führen Sie den folgenden Befehl aus, um diese Shell-Variablen zu erstellen:
Ersetzen Sie APPLICATION_NAME durch den Namen Ihrer Azure AD-Anwendung.
Drei benutzerdefinierte Rollen erstellen
Wenn Sie GKE in Azure die Berechtigungen zum Verwalten Ihrer Azure-Ressourcen erteilen möchten, müssen Sie drei benutzerdefinierte Rollen erstellen und dem Diensthauptkonto zuweisen. In der folgenden Anleitung werden nur die Mindestberechtigungen hinzugefügt. Sie können bei Bedarf weitere Berechtigungen hinzufügen.
Sie müssen benutzerdefinierte Rollen für die folgenden Zugriffstypen erstellen:
Zugriff auf Aboebene: Berechtigungen, die für das gesamte Azure-Abo gelten und die Verwaltung aller Azure-Ressourcen innerhalb dieses Abos ermöglichen.
Zugriff auf Clusterebene: Berechtigungen speziell für die Verwaltung von Azure-Ressourcen in einer bestimmten Ressourcengruppe, die Ihre GKE on Azure-Cluster enthält.
Zugriff auf Ressourcengruppenebene für virtuelle Netzwerke: Berechtigungen speziell zum Verwalten von Azure-Ressourcen in einer Ressourcengruppe, die Ihre Azure-Ressourcen für virtuelle Netzwerke enthält.
Rolle für den Zugriff auf Aboebene erstellen
Erstellen Sie eine Datei mit dem Namen GKEOnAzureAPISubscriptionScopedRole.json.
Öffnen Sie GKEOnAzureAPISubscriptionScopedRole.json in einem Editor und fügen Sie die folgenden Berechtigungen hinzu:
{"Name":"GKE on-Azure API Subscription Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in subscription scope.","Actions":["Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/delete","Microsoft.Authorization/roleDefinitions/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
So erstellen Sie die neue benutzerdefinierte Rolle:
Weisen Sie dem Dienstprinzipal die Rolle mit dem folgenden Befehl zu:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Subscription Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}
Rolle für den Zugriff auf Clusterressourcengruppenebene erstellen
Erstellen Sie eine Datei mit dem Namen GKEOnAzureClusterResourceGroupScopedRole.json.
Öffnen Sie GKEOnAzureClusterResourceGroupScopedRole.json in einem Editor und fügen Sie die folgenden Berechtigungen hinzu:
{"Name":"GKE on-Azure API Cluster Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in cluster resource group scope.","Actions":["Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete","Microsoft.ManagedIdentity/userAssignedIdentities/write","Microsoft.ManagedIdentity/userAssignedIdentities/read","Microsoft.ManagedIdentity/userAssignedIdentities/delete","Microsoft.Network/applicationSecurityGroups/write","Microsoft.Network/applicationSecurityGroups/read","Microsoft.Network/applicationSecurityGroups/delete","Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/delete","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/delete","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.KeyVault/vaults/write","Microsoft.KeyVault/vaults/read","Microsoft.KeyVault/vaults/delete","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/disks/delete","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/delete","Microsoft.Network/networkInterfaces/join/action","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/delete","Microsoft.Compute/virtualMachineScaleSets/write","Microsoft.Compute/virtualMachineScaleSets/read","Microsoft.Compute/virtualMachineScaleSets/delete","Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","Microsoft.Insights/Metrics/Read"],"NotActions":[],"DataActions":["Microsoft.KeyVault/vaults/keys/create/action","Microsoft.KeyVault/vaults/keys/delete","Microsoft.KeyVault/vaults/keys/read","Microsoft.KeyVault/vaults/keys/encrypt/action"],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}```
So erstellen Sie die neue benutzerdefinierte Rolle:
Weisen Sie dem Dienstprinzipal die Rolle mit dem folgenden Befehl zu:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Cluster Resource Group Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
Rolle für den Zugriff auf Ressourcengruppenebene des virtuellen Netzwerks erstellen
Erstellen Sie eine Datei mit dem Namen GKEOnAzureAPIVNetResourceGroupScopedRole.json.
Öffnen Sie GKEOnAzureAPIVNetResourceGroupScopedRole.json in einem Editor und fügen Sie die folgenden Berechtigungen hinzu:
{"Name":"GKE on-Azure API VNet Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in virtual network resource group scope.","Actions":["Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
So erstellen Sie die neue benutzerdefinierte Rolle:
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],["Zuletzt aktualisiert: 2025-07-31 (UTC)."],[],[],null,["# Create Azure role assignments\n=============================\n\nThis page shows how you grant permissions to GKE on Azure so that it can\naccess Azure APIs. You need to perform these steps when setting up a new\nGKE on Azure cluster or when updating permissions for an existing cluster.\nThese permissions are necessary for GKE on Azure to manage Azure resources\non your behalf, such as virtual machines, networking components, and storage.\n\nObtain service principal and subscription IDs\n---------------------------------------------\n\nTo grant permissions to GKE on Azure, you need to obtain your Azure service\nprincipal and subscription ID. The Azure service principal and subscription ID\nare associated with the Azure AD application you created for GKE on Azure.\nFor details, see\n[Create an Azure Active Directory application](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n\nA service principal is an identity in Azure Active Directory (AD) that is used\nto authenticate to Azure and access its resources. An Azure subscription is a\nlogical container that provides you with authorized access to Azure products\nand services. A subscription ID is a unique identifier associated with your\nAzure subscription.\n\nTo save your service principal and subscription IDs for quick reference, you can\nstore them in shell variables. To create these shell variables, run the\nfollowing command: \n\n APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" \\\n --output tsv)\n SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \\\n --query \"[?appId=='$APPLICATION_ID'].id\")\n SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n\nReplace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the name\nof your Azure AD application.\n\nCreate three custom roles\n-------------------------\n\nTo grant GKE on Azure the permissions to manage your Azure resources, you\nneed to create three custom roles and assign them to the service principal. Only\nthe minimum permissions are added in the following instructions. You can add\nmore permissions if you need to.\n\nYou need to create custom roles for the following types of access:\n\n- **Subscription-level access**: Permissions that apply to the entire Azure subscription, allowing management of all Azure resources within that subscription.\n- **Cluster resource group-level access**: Permissions specific to managing Azure resources within a particular resource group that contains your GKE on Azure clusters.\n- **Virtual network resource group-level access**: Permissions specific to managing Azure resources within a resource group that contains your Azure virtual network resources.\n\n### Create role for subscription-level access\n\n1. Create a file named `GKEOnAzureAPISubscriptionScopedRole.json`.\n\n2. Open `GKEOnAzureAPISubscriptionScopedRole.json` in an editor and add the\n following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Subscription Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in subscription scope.\",\n \"Actions\": [\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Authorization/roleDefinitions/read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPISubscriptionScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}\n\n### Create role for cluster resource group-level access\n\n1. Create a file named `GKEOnAzureClusterResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureClusterResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Cluster Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in cluster resource group scope.\",\n \"Actions\": [\n \"Microsoft.Resources/subscriptions/resourcegroups/read\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/write\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/read\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/delete\",\n \"Microsoft.Network/applicationSecurityGroups/write\",\n \"Microsoft.Network/applicationSecurityGroups/read\",\n \"Microsoft.Network/applicationSecurityGroups/delete\",\n \"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Network/loadBalancers/write\",\n \"Microsoft.Network/loadBalancers/read\",\n \"Microsoft.Network/loadBalancers/delete\",\n \"Microsoft.Network/loadBalancers/backendAddressPools/join/action\",\n \"Microsoft.Network/networkSecurityGroups/write\",\n \"Microsoft.Network/networkSecurityGroups/read\",\n \"Microsoft.Network/networkSecurityGroups/delete\",\n \"Microsoft.Network/networkSecurityGroups/join/action\",\n \"Microsoft.KeyVault/vaults/write\",\n \"Microsoft.KeyVault/vaults/read\",\n \"Microsoft.KeyVault/vaults/delete\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/disks/write\",\n \"Microsoft.Compute/disks/delete\",\n \"Microsoft.Network/networkInterfaces/read\",\n \"Microsoft.Network/networkInterfaces/write\",\n \"Microsoft.Network/networkInterfaces/delete\",\n \"Microsoft.Network/networkInterfaces/join/action\",\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/write\",\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachineScaleSets/write\",\n \"Microsoft.Compute/virtualMachineScaleSets/read\",\n \"Microsoft.Compute/virtualMachineScaleSets/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\",\n \"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\",\n \"Microsoft.Insights/Metrics/Read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [\n \"Microsoft.KeyVault/vaults/keys/create/action\",\n \"Microsoft.KeyVault/vaults/keys/delete\",\n \"Microsoft.KeyVault/vaults/keys/read\",\n \"Microsoft.KeyVault/vaults/keys/encrypt/action\"\n ],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n ```\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureClusterResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Cluster Resource Group Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}\n\n### Create role for virtual network resource group-level access\n\n1. Create a file named `GKEOnAzureAPIVNetResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureAPIVNetResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API VNet Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in virtual network resource group scope.\",\n \"Actions\": [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/virtualNetworks/subnets/read\",\n \"Microsoft.Network/virtualNetworks/subnets/join/action\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPIVNetResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID\"\n\nWhat's next\n-----------\n\n- [Create a client certificate](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-client)"]]
