Creating a service principal
The installation of OpenShift® Container Platform requires the creation of Microsoft Azure resources through the Azure Resource Manager. To facilitate this, you must create a service principal.
Before you begin
Important: If you see the following error message, verify that you are the owner of the
subscription.
(AuthorizationFailed) The client '<user id>' with object id '7cf25******' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleAssignments/8e732******' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed
- Create the service principal for your account and assign it to the Contributor role by issuing
the following command.
- Version 3.3.x
az ad sp create-for-rbac --role Contributor --name <service_principal_name>
For example,az ad sp create-for-rbac --role Contributor --name gi300
The output is similar to the following example.Changing "gi300" to a valid URI of "http://gi300", which is the required format used for service principal names Creating 'Contributor' role assignment under scope '/subscriptions/297d75cf-xxxx-xxxx-xxxx-xxxxxxxxxxxx' The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli { "appId": "12ea9986-…….", "displayName": "gi300", "name": "http://gi300", "password": "***************", "tenant": "32bfacf3-8eb1-498d-b7d9-6f567cf065cd" }
- Version 3.4.x and later
az ad sp create-for-rbac --role Contributor --scope /subscriptions/<subscription id>/resourceGroups/<resource group name> --name <service_principal_name>
For example,az ad sp create-for-rbac --role Contributor --scope/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns --name gi400
The output is similar to the following example.az ad sp create-for-rbac --role Contributor --scope/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns --name gi400 { "appId": "74b72d62-8ceb-4745-b12d-9282cd5f7fb1", "displayName": "gi400", "password": "********************", "tenant": "32bfacf3-8eb1-498d-b7d9-6f567cf065cd" }
- Version 3.3.x
-
From this output, record the values of the
appId
andpassword
parameters. These values are required during OpenShift Container Platform installation (including creating of the OpenShift Container Platform installation file). - To delete the service principal and its identity, issue these commands.
- Version 3.3.x
az ad sp delete --id <APPId> az identity delete --id <subscription-id>
- Version 3.4.x and later
az ad sp delete --id < Object Id of Service Principle> az identity delete --id <subscription-id>
- Version 3.3.x
To obtain the subscription ID
to use in the delete
command,
complete the following steps.
Procedure
- Log in to Azure at https://portal.azure.com/?fromAccountsPortal=true#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview.
- Type Enterprise Applications in the search bar.
- Select All Applications in the Application Type menu.
- Click Apply.
- Search for the application
name. For example,
gi300
orgi400
. - Click the name to open its page.
- Select Properties in the left panel.
- Record the value of the
subscription ID
.