Create and use a service principal to deploy an Azure Red Hat OpenShift cluster
To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires a Microsoft Entra service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry (ACR). For more information, see Application and service principal objects in Microsoft Entra ID.
This article explains how to create and use a service principal to deploy your Azure Red Hat OpenShift clusters using the Azure command-line interface (Azure CLI) or the Azure portal.
Note
Service principals expire in one year unless configured for longer periods. For information on extending your service principal expiration period, see Rotate service principal credentials for your Azure Red Hat OpenShift (ARO) Cluster.
Create and use a service principal
The following sections explain how to create and use a service principal to deploy an Azure Red Hat OpenShift cluster.
Prerequisites - Azure CLI
If you’re using the Azure CLI, you’ll need Azure CLI version 2.30.0 or later installed and configured. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
Create a resource group - Azure CLI
Run the following Azure CLI command to create a resource group in which your Azure Red Hat OpenShift cluster will reside.
AZ_RG=$(az group create -n test-aro-rg -l eastus2 --query name -o tsv)
Create a service principal and assign role-based access control (RBAC) - Azure CLI
To assign the contributor role and scope the service principal to the Azure Red Hat OpenShift resource group, run the following command.
# Get Azure subscription ID
AZ_SUB_ID=$(az account show --query id -o tsv)
# Create a service principal with contributor role and scoped to the Azure Red Hat OpenShift resource group
az ad sp create-for-rbac -n "test-aro-SP" --role contributor --scopes "/subscriptions/${AZ_SUB_ID}/resourceGroups/${AZ_RG}"
Note
Service principals must be unique per Azure RedHat OpenShift (ARO) Cluster.
The output is similar to the following example:
{
"appId": "",
"displayName": "myAROClusterServicePrincipal",
"name": "http://myAROClusterServicePrincipal",
"password": "yourpassword",
"tenant": "yourtenantname"
}
Important
This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well. You also need to create your Azure Red Hat OpenShift cluster in the resource group you created above.
To grant permissions to an existing service principal with the Azure portal, see Create a Microsoft Entra app and service principal in the portal.
Create a service principal with the Azure portal
To create a service principal for your Azure Red Hat OpenShift cluster via the Azure portal, see Use the portal to create a Microsoft Entra application and service principal that can access resources. Be sure to save the Application (client) ID and the secret.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for