Banzai Cloud Pipeline requires the following authentication parameters for managing PKE clusters:

  • AZURE SUBSCRIPTION ID: A 32-character hexadecimal dash-separated string.
  • AZURE TENANT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT SECRET: A password generated by you.

The instructions below describe how to obtain these.

Install the Azure CLI

The Azure CLI is the easiest and fastest way to prepare credentials for managing PKE clusters. Install the Azure CLI by running the following command.

curl -L https://aka.ms/InstallAzureCli | bash
exec -l $SHELL
az login

Follow the instructions to authenticate. After the login and authentication process is complete, you will receive account information including your id, which is your subscription id and tenantId.

Note: you can query your subscription id at any time by using the following command:

az account show --query id

Create admin role

Create an Azure role that contains all the rights necessary to manage a PKE cluster on Azure.

Save the following role definition to a json file (e.g. pkeadminrole.json):

{
  "Name": "PKE Admin",
  "Description": "Perform PKE cluster create/read/update/delete actions",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Billing/*",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
  ]
}

Replace {subscriptionId} with your subscription id and {resourceGroupName} resource goup name.

Create the role via:

az role definition create --verbose --role-definition @pkeadminrole.json

Create Service Principal

Create a Service Principal and assign it to the previously created role by using the following command:

az ad sp create-for-rbac --name "http://PKEAdminSP" --role "PKE Admin" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}

This will output any service principal information, including appId and password.

Authentication parameter mapping:

AZ output field Authentication parameter
appId AZURE CLIENT ID
password AZURE CLIENT SECRET
az account show --query tenantId AZURE TENANT ID
az account show --query id AZURE SUBSCRIPTION ID

Note: When creating a custom role is not an option, then the required access rights can be assigned directly to the service principal using Azure's built-in roles.

Warning: While this is an option, we do not recommend this, as the Azure built-in roles used below provide wider access rights within the scope of the subscription than needed:

az ad sp create-for-rbac --name "PKEAdminSP" --skip-assignment
az role assignment create --role "User Access Administrator" --assignee "http://PKEAdminSP" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
az role assignment create --role "Owner" --assignee "http://PKEAdminSP" --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}

Register PKE required services

PKE requires the following services to be pre-registered:

Microsoft.Compute
Microsoft.Storage
Microsoft.Network

Previously registered services can be listed by running the following command:

az provider list --query "[?registrationState=='Registered'].{Provider:namespace, Status:registrationState}" --out table

To register the required services execute:

az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Storage
az provider register --namespace Microsoft.Network

It may take some time for these service registrations to propagate through the necessary zones and datacenters.

You can check the status of each individual service with the

az provider show -n {{service provider name}} -o table

command.

(e.g.: az provider show -n Microsoft.Compute -o table)

When your credential expired or the assigned role has been changed, the service principal you are using won't have the right permissions. The following error message appears in this case:

authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 ...

The solution is to reset the credendial of the service principal with the following command:

az ad sp credential reset --name "PKEAdminSP"

This will output the new service principal information, including a new password. You'll have to re-create the Pipeline secret with the new password.