Access control for Azure resources in HPC Pack cluster
If you create an HPC Pack cluster entirely in Azure, or you want to extend your on-premises HPC Pack cluster into Azure by creating Azure IaaS VMs as compute nodes, you need to grant the head node(s) access permissions to manage the Azure VM compute nodes. HPC Pack supports two ways to manage the Azure resources:
Azure Service Principal with certificate: Starting from HPC Pack 2012 R2 Update 3, for both Azure VM head node and on-premises head node
Azure Managed Identity: Starting from HPC Pack 2019 and only for Azure VM head node
Azure Resource Manager uses role-based access control (RBAC) for Azure resources. Depending on whether you want to create new Azure IaaS compute nodes and whether you want to create new resource groups, there can be three scenarios, below are the minimum access permissions you shall grant to the Azure Service Principal or Azure Managed Identity for each scenario:
- If you have no plan to add new Azure IaaS compute nodes to the HPC Pack cluster, just want to manage the existing Azure VM compute nodes.
Virtual Machine Contributor for the resource groups in which you want to create compute nodes.
Reader for the virtual network in which the Azure VM compute nodes join.
- If you want to use HPC Pack Cluster Manager to create new Azure IaaS compute nodes in pre-created resource groups.
Virtual Machine Contributor for the resource groups in which you want to create compute nodes.
Network Contributor for the virtual network in which the Azure VM compute nodes join.
Key Vault Contributor for the Azure Key Vault in which the Azure Key Vault certificate was created.
- If you want to use HPC Pack Cluster Manager to create new Azure IaaS compute nodes in new resource groups.
- Contributor at the Azure subscription level.