Creating a service principal

The installation of OpenShift® Container Platform requires the creation of Microsoft Azure resources through the Azure Resource Manager. To facilitate this, you must create a service principal.

Before you begin

Important: If you see the following error message, verify that you are the owner of the subscription.
(AuthorizationFailed) The client '<user id>' with object id '7cf25******' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleAssignments/8e732******' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed
  1. Create the service principal for your account and assign it to the Contributor role by issuing the following command.
    • Version 3.3.x
      az ad sp create-for-rbac --role Contributor --name <service_principal_name>
      For example,
      az ad sp create-for-rbac --role Contributor --name gi300
      The output is similar to the following example.
      Changing "gi300" to a valid URI of "http://gi300", which is the required format used for service principal names
      Creating 'Contributor' role assignment under scope '/subscriptions/297d75cf-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
      The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
      {
        "appId": "12ea9986-…….",
        "displayName": "gi300",
        "name": "http://gi300",
        "password": "***************",
        "tenant": "32bfacf3-8eb1-498d-b7d9-6f567cf065cd"
      }
    • Version 3.4.x and later
      az ad sp create-for-rbac --role Contributor --scope /subscriptions/<subscription id>/resourceGroups/<resource group name> --name <service_principal_name>
      For example,
      az ad sp create-for-rbac --role Contributor --scope/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns --name gi400
      The output is similar to the following example.
      az ad sp create-for-rbac --role Contributor --scope/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns --name gi400
      {
      "appId": "74b72d62-8ceb-4745-b12d-9282cd5f7fb1",
      "displayName": "gi400",
      "password": "********************",
      "tenant": "32bfacf3-8eb1-498d-b7d9-6f567cf065cd"
      }
  2. From this output, record the values of the appId and password parameters. These values are required during OpenShift Container Platform installation (including creating of the OpenShift Container Platform installation file).

  3. To delete the service principal and its identity, issue these commands.
    • Version 3.3.x
      az ad sp delete --id <APPId>
      az identity delete  --id <subscription-id>
    • Version 3.4.x and later
      az ad sp delete --id < Object Id of Service Principle>
      az identity delete --id <subscription-id>

To obtain the subscription ID to use in the delete command, complete the following steps.

Procedure

  1. Log in to Azure at https://portal.azure.com/?fromAccountsPortal=true#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview.
  2. Type Enterprise Applications in the search bar.
  3. Select All Applications in the Application Type menu.
  4. Click Apply.
  5. Search for the application name.
    For example, gi300 or gi400.
  6. Click the name to open its page.
  7. Select Properties in the left panel.
  8. Record the value of the subscription ID.