Granting extra permissions to the service principal

The service principal requires the legacy Azure Active Directory Graph > Application.ReadWrite.OwnedBy permission and the User Access Administrator role for the cluster to be able to assign credentials for its components.

Procedure

  1. Assign the User Access Administrator role to the service principal that you created by running only one of the following commands:
    • Version 3.3.x
      az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '<appId>'" | jq '.[0].objectId' -r)

      Where appId is the appId value that you recorded when you create the service principal.

      For example, run the following command.
      az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '12ea9986-……" | jq '.[0].objectId' -r)
      The output is similar to:
      root@sys-backup-client1:/ocp-tools# az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '12ea9986-….." | jq '.[0].objectId' -r)
{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/297…./providers/Microsoft.Authorization/roleAssignments/490840c4-……",
  "name": "490840c4-……",
  "principalId": "fe395a77-….",
  "principalType": "ServicePrincipal",
  "roleDefinitionId": "/subscriptions/297d75cf-……/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-……",
  "scope": "/subscriptions/297d75cf-……",
  "type": "Microsoft.Authorization/roleAssignments"
}
    • Version 3.4.x and later
      az role assignment create --role "User Access Administrator" --assignee-object-id "<Object Id>" --assignee-principal-type "ServicePrincipal" --scope /subscriptions/<subscription Id>/resourceGroups/<resource group name>
      For example, run the following command.
      az role assignment create --role "User Access Administrator" --assignee-object-id "72eb6-0c72-440b-80ff-cda51f893e11" --assignee-principal-type "ServicePrincipal" --scope /subscriptions/151efa-127-4835-b355-b26df65f95ef/resourceGroups/gi340-dns
      The output is similar to:
      {
"condition": null,
"conditionVersion": null,
"createdBy": null,
"createdOn": "2024-05-23T14:36:39.400610+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns/providers/Microsoft.Authorization/roleAssignments/018284cc-fcc3-4c24-a31f-b96bcda013e5",
"name": "018284cc-fcc3-4c24-a31f-b96bcda013e5",
"principalId": "72ebc616-0c72-440b-80ff-cda51f893e11",
"principalType": "ServicePrincipal",
"resourceGroup": "gi340-dns",
"roleDefinitionId": "/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"scope": "/subscriptions/151e2afa-1277-4835-b355-b26df65f95ef/resourceGroups/gi340-dns",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "a4e73036-1557-4d4c-97c7-a6e2f126e33c",
"updatedOn": "2024-05-23T14:36:40.420628+00:00"
}
  2. Assign the Windows Azure Active Directory Graph API permissions to the service principal that you created by running the following command.
    az ad app permission add --id <appId> --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
    For example,
    az ad app permission add --id 214d1742-bff2-4523-b5d3-2e5e79dfe08a --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
    The output is similar to:
    az ad app permission add --id 214d1742-bff2-4523-b5d3-2e5e79dfe08a --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
Invoking `az ad app permission grant --id 214d1742-****-****-b5d3-2e5e79dfe08a --api 00000002-0000-0000-c000-000000000000` is needed to make the change effective\
  3. Approve the permissions request.

    If your account does not have the Azure Active Directory Tenant Administrator role, follow your organization's guidelines for requesting that the tenant administrator approves your permissions request. Then, run the following command.

    az ad app permission grant --id <appId>  --api 00000002-0000-0000-c000-000000000000
    Important: Running this command requires high privileges on the Directory (Tenant) level. If you do not have sufficient permissions, identify a person with these privileges, and then delegate the task to that person. You do not need these privileges for other OCP deployment tasks.
    For example,
    az ad app permission grant --id 214d1742-bff2-4523-b5d3-2e5e79dfe08a --api 00000002-0000-0000-c000-000000000000 --scope "/subscriptions/151e2afa-1277-*******"
    The output is similar to:
    {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants/$entity",
"clientId": "58457e54-c907-4ee4-a216-89dae9bcad04",
"consentType": "AllPrincipals",
"id": "VH5FWAfJ5E6iFona6bytBMIjYoEH4T9LpNAGi-vSY-U",
"principalId": null,
"resourceId": "816223c2-e107-4b3f-a4d0-068bebd263e5",
"scope": "/subscriptions/151e2afa-1277-***********"
}