Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The article explains how to to rotate Microsoft Entra ID service principal credentials for an Azure Red Hat OpenShift cluster. The Azure CLI commands use Bash syntax and can be run in Azure Cloud Shell.
Prerequisites
- An existing Azure Red Hat OpenShift cluster with the latest updates applied.
- Azure CLI version 2.24.0 is required to rotate service principal credentials. To check the version of Azure CLI run
az --version. If you need to upgrade, see How to install the Azure CLI .
Service principal credential rotation
Service principal credential rotation can take two hours depending on cluster state. There are two methods for service principal credential rotation:
- Automated service principal credential rotation
- User provided client ID and client secret service principal credential rotation
For either method, create variables for your cluster's name and resource group. Replace <clusterName> and <resourceGroupName> with your cluster's values.
CLUSTER=<clusterName>
RESOURCEGROUP=<resourceGroupName>
Automated service principal credential rotation
The method for automated service principal credential rotation requires that the cluster was created with Azure CLI version 2.24.0 or greater. Automated service principal credential rotation checks if the service principal exists and rotates or creates a new service principal.
You can automatically rotate service principal credentials with the following command.
az aro update --refresh-credentials --name $CLUSTER --resource-group $RESOURCEGROUP
User provided client ID and client secret service principal credential rotation
You can manually rotate service principal credentials with user provided client ID and client secret with the following instructions.
Retrieve the service principal client ID (--client-id) and set it as SP_ID environment variable.
SP_ID=$(az aro show --name $CLUSTER --resource-group $RESOURCEGROUP \
--query servicePrincipalProfile.clientId --output tsv)
Generate a new secure secret (--client-secret) for the service principal using the SP_ID variable. Store the new secure secret as SP_SECRET environment variable.
SP_SECRET=$(az ad sp credential reset --id $SP_ID --query password --output tsv)
Rotate the service principal credentials using the environment variables.
az aro update --client-id $SP_ID --client-secret $SP_SECRET \
--name $CLUSTER --resource-group $RESOURCEGROUP
Troubleshoot
Service principal expiration date
Service principal credentials have a set expiration date of a year and should be rotated within that timeframe. If the credentials are expired, the following errors are possible.
Failed to refresh the Token for request to <resourceGroupName> StatusCode=401
Original Error: Request failed. Status Code = '401'.
[with]
Response body: {"error":"invalid_client","error_description": The provided client secret keys are expired.
[or]
Response body: {"error":"invalid_client","error_description": Invalid client secret is provided.
To check the expiration date of service principal credentials run the following commands. The date is output in ISO 8601 UTC format.
SP_ID=$(az aro show --name $CLUSTER --resource-group $RESOURCEGROUP \
--query servicePrincipalProfile.clientId --output tsv)
az ad app credential list --id $SP_ID --query "[].endDateTime" --output tsv
If the service principal credentials are expired, update the credentials using one of the two credential rotation methods.
Cluster application contains a client secret with an empty description
The following error occurs when you use az aro update command for automated service principal credential rotation.
Cluster application contains a client secret with an empty description.
Either manually remove the existing client secret and run `az aro update --refresh-credentials`,
or manually create a new client secret and run `az aro update --client-secret <clientSecret>`.
The cluster wasn't created using Azure CLI 2.24.0 or greater. Use the User provided client ID and client secret service principal credential rotation method instead.
Azure CLI commands
For more information about Azure CLI commands, see az aro documentation. You can also use commands like az aro update --help on the command line.
Clean up resources
When you're finished, you should clear your variables to remove any sensitive data.
SP_SECRET=""
SP_ID=""
CLUSTER=""
RESOURCEGROUP=""
Related content
For more information about service principals, see Create and use a service principal to deploy an Azure Red Hat OpenShift cluster.