Create Azure Kubernetes Service using Service Principal Name
Sep. 17, 2019
AKS - also known as Azure Kubernetes Service is a managed Kubernetes service offered by Microsoft Azure.
In Today’s post I will show you how to create AKS cluster using Service Principal Name.
I have access to a subscription where AKS can’t be created without SPN. In my case once I initiated AKS cluster creation with SPN it worked without any issues.
Service Principal Name
What is a SPN? In Microsoft documentation it is very nicely written what it does and why do you need it.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
Prerequisites
- Azure Account ;)
- Resource Group
- Azure KeyVault
Azure Resource Group
In order to create a resource group we can utilize following command line query.
az group create --location
--name
[--subscription]
[--tags]
KeyVault
az keyvault create --location YOUR-LOCATION \
--name YOUR-KEYVAULT-NAME --resource-group YOUR-RESOURCE-GROUP
SPN creation
One hint before creating SPN - place it in the same resource group as your desired AKS cluster.
az ad sp create-for-rbac --name YOUR-SPN-NAME \
--create-cert --cert YOUR-CERT-NAME --years 5 \
--keyvault YOUR-KEYVAULT-NAME --verbose \
--role='Owner' \
--scopes='/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/YOUR-RESOURCE-GROUP'
Output
{
"appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"displayName": "YOUR-SPN-NAME",
"name": "http://YOUR-SPN-NAME",
"password": null,
"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
If you try to create an AKS cluster now you will be required to provide password. As displayed above password is hidden. We need to retrieve it.
SPN password reset
Before we will be able to get a password we need to retrieve Azure KeyVault cerificate id.
To retrieve it we need to run simple query.
Once we have the certificate ID we can finally reset the password.
az keyvault secret show \
--id https://YOUR-KEYVAULT-NAME.vault.azure.net/secrets/YOUR-CERT-NAME/XXXXXXXXXXXXXXXXXX \
--name YOUR-CERT-NAME
--subscription XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \
--vault-name YOUR-KEYVAULT-NAME
Output
{
"attributes": {
"created": "2019-09-17T12:32:31+00:00",
"enabled": true,
"expires": "2024-10-17T12:32:31+00:00",
"notBefore": "2019-09-17T12:22:31+00:00",
"recoveryLevel": "Purgeable",
"updated": "2019-09-17T12:32:31+00:00"
},
"contentType": "application/x-pkcs12",
"id": "https://YOUR-KEYVAULT-NAME.vault.azure.net/secrets/YOUR-CERT-NAME/XXXXXXXXXXXXXXXXXX",
"kid": "https://YOUR-KEYVAULT-NAME.vault.azure.net/keys/YOUR-CERT-NAME/XXXXXXXXXXXXXXXXXX",
"managed": true,
"tags": null,
"value": "A lot of text ;)"
}
The next step is to get secret (password) which we will utilize later on during AKS creation.
az ad sp credential reset --name YOUR-SPN-NAME
Output
{
"appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"name": "http://YOUR-SPN-NAME",
"password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
Kubernetes Cluster
At the very end enter the resource group, AKS cluster name, SPN ID (this is “name”: “http://YOUR-SPN-NAME”) and your password.
az aks create \
--resource-group YOUR-RESOURCE-GROUP \
--name YOUR-AKS-CLUSTER \
--service-principal <appId> \
--client-secret <password>
If everything went well your Azure Kubernetes Cluster deployment will start.
Happy k8sing ;)