This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires a Microsoft Entra service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry (ACR). For more information, see Application and service principal objects in Microsoft Entra ID.
This article explains how to create and use a service principal to deploy your Azure Red Hat OpenShift clusters using the Azure command-line interface (Azure CLI) or the Azure portal.
Note
Service principals expire in one year unless configured for longer periods. For information on extending your service principal expiration period, see Rotate service principal credentials for your Azure Red Hat OpenShift (ARO) Cluster.
The following sections explain how to create and use a service principal to deploy an Azure Red Hat OpenShift cluster.
If you’re using the Azure CLI, you’ll need Azure CLI version 2.30.0 or later installed and configured. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
Run the following Azure CLI command to create a resource group in which your Azure Red Hat OpenShift cluster will reside.
AZ_RG=$(az group create -n test-aro-rg -l eastus2 --query name -o tsv)
To assign the contributor role and scope the service principal to the Azure Red Hat OpenShift resource group, run the following command.
# Get Azure subscription ID
AZ_SUB_ID=$(az account show --query id -o tsv)
# Create a service principal with contributor role and scoped to the Azure Red Hat OpenShift resource group
az ad sp create-for-rbac -n "test-aro-SP" --role contributor --scopes "/subscriptions/${AZ_SUB_ID}/resourceGroups/${AZ_RG}"
Note
Service principals must be unique per Azure RedHat OpenShift (ARO) Cluster.
The output is similar to the following example:
{
"appId": "",
"displayName": "myAROClusterServicePrincipal",
"name": "http://myAROClusterServicePrincipal",
"password": "yourpassword",
"tenant": "yourtenantname"
}
Important
This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well. You also need to create your Azure Red Hat OpenShift cluster in the resource group you created above.
To grant permissions to an existing service principal with the Azure portal, see Create a Microsoft Entra app and service principal in the portal.
To create a service principal for your Azure Red Hat OpenShift cluster via the Azure portal, see Use the portal to create a Microsoft Entra application and service principal that can access resources. Be sure to save the Application (client) ID and the secret.
Training
Module
Authenticate your Azure deployment pipeline by using service principals - Training
Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Discover how to rotate service principal credentials in Azure Red Hat OpenShift (ARO).
Create an Azure Red Hat OpenShift 4 private cluster - Azure Red Hat OpenShift
Learn how to create an Azure Red Hat OpenShift private cluster running OpenShift 4
In this article, learn how to create an Azure Red Hat OpenShift cluster using an Azure Resource Manager template or a Bicep file.