Banzai Cloud Pipeline requires the following authentication parameters when managing AKS clusters:

  • AZURE SUBSCRIPTION ID: A 32-character hexadecimal dash-separated string.
  • AZURE TENANT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT SECRET: A password generated by you.

The instructions below describe how to obtain these.

AKS service

Log in to Microsot Azure Portal and ensure that Microsot's AKS service is enabled for your subscription.

AKS Service

Install the Azure CLI

The Azure CLI is the easiest and fastest way to prepare credentials for managing AKS clusters. Install the Azure CLI by running the following command.

curl -L https://aka.ms/InstallAzureCli | bash
exec -l $SHELL
az login

Follow the instructions to authenticate. After the login and authentication process is complete, you will receive account information including your id, which is your subscription id and tenantId.

Note: you can query your subscription id at any time by using the following command:

az account show --query id

Create admin role

Create an Azure role that contains all the rights necessary to manage an AKS cluster.

Save the following role definition to a json file (e.g. aksadminrole.json):

{
  "Name": "AKS Admin",
  "Description": "Perform AKS cluster create/read/update/delete actions",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Billing/*",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxx"
  ]
}

Replace xxxxxxxx-xxxx-xxxx-xxxx-xxxx with your subscription id.

Create the role via:

az role definition create --verbose --role-definition @aksadminrole.json

Create Service Principal

Create a Service Principal and assign it to the previously created role by using the following command:

az ad sp create-for-rbac --name "AKSAdminSP" --role "AKS Admin"

This will output any service principal information, including appId and password.

Authentication parameter mapping:

AZ output field Authentication parameter
appId AZURE CLIENT ID
password AZURE CLIENT SECRET
az account show --query tenantId AZURE TENANT ID
az account show --query id AZURE SUBSCRIPTION ID

Note: In case creating a custom role is not an option than the required access rights must be assigned directly to the service principal using Azure's built-in roles.

Warning: While this is an option we do not recommend this as the Azure built-in roles used below provide wider access rights within the scope of the subscription than needed:

az ad sp create-for-rbac --name "AKSAdminSP" --skip-assignment
az role assignment create --role "User Access Administrator" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxx
az role assignment create --role "Owner" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxx

Register AKS required services

AKS requires the following services to be pre-registered:

Microsoft.Compute
Microsoft.Storage
Microsoft.Network
Microsoft.ContainerService

Previously registered services can be listed by running the following command:

az provider list --query "[?registrationState=='Registered'].{Provider:namespace, Status:registrationState}" --out table

To register the required services execute:

az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Storage
az provider register --namespace Microsoft.Network

It may take some time for these service registrations to propagate through the necessary zones and datacenters.

You can check the status of each individual service with the

az provider show -n {{service provider name}} -o table

command.

(e.g.: az provider show -n Microsoft.ContainerService -o table)

When credential expired or assigned role is changed, the service principal you are using doesn't have right permissions. The following error message appears:

authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 ...

The solution is reset the credendial of service principal with the following command:

az ad sp credential reset --name "AKSAdminSP"

This will output new service principal information, including new password. You have to re-create the Pileline secret included the new password.