Contributors ebarcott akseldavis

In order to create an Azure cluster through NetApp Kubernetes Service (NKS), you will need to either create a new set of credentials, or locate your existing credentials.

Create New Azure Credentials

To create new Azure credentials, you will need to use one of the following:

  • Option 1: The subscription ID, an Active Directory application, and an authorized Service Principal. (Recommended)

  • Option 2: A resource group and service principal from the Azure CLI.

For this approach you will set up an Azure Active Directory (AD) application and assign the required permissions to it. Microsoft recommends this approach instead of running the app under your own credentials because:

  1. You can assign the app permissions independent from those which are assigned to your own account. This lets you restrict the app’s permissions to only those which it needs in order to function.

  2. If you update the permissions on your own account, you won’t have to update the app’s credentials as well.

  3. Unattended scripts can use a certificate to automate authentication.

There are four authentication parameters:

  • AZURE_SUBSCRIPTION_ID: A 32-character hexadecimal dash-separated string.

  • AZURE_TENANT_ID: A 32-character hexadecimal dash-separated string.

  • AZURE_CLIENT_ID: A 32-character hexadecimal dash-separated string.

  • AZURE_CLIENT_SECRET: Password generated by you.

In Brief: Finding the Authentication Parameters

Subscription ID: All Services > Subscriptions > Subscription ID

Tenant ID (Azure calls this the Directory ID): Azure Active Directory > Properties > Directory ID

Client ID (Azure calls this the Application ID): All Services > Filter by “app registrations” > App Registrations > Click your application > Copy the Application ID

Auth Key: All Services > Filter by “app registrations” > App Registrations > Click your application > Settings > Keys > Create a new key

Verify Azure Permissions and Find the Required Account Information

Step 1: Check App Registration Settings

Your Azure login needs to have enough permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription. To verify this, log in to the Azure portal, then go to Azure Active Directory > User settings > App Registrations.

Azure Auth: App Registrations
  • If “Users can register applications” is set to Yes any Azure AD tenant can register an app. You can proceed.

  • If “Users can register applications” is set to No only global administrators can register apps.

Step 2: Check Account Permissions

Click Azure Active Directory > Overview to check your account permissions. In this example, the account’s role is User.

Azure Auth: User Role
  • If your account is assigned to the Global administrator role, you can proceed.

  • If your account is assigned to the User role, and “Users can register applications” is set to Yes, you can proceed.

  • If your account is assigned to the User role, and “Users can register applications” is set to No, you will NOT be able to register an app. You have two options:

    1. Ask your administrator to assign your account to the Global administrator role.

    2. Ask your administrator to enable users to register apps.

Step 3: Check the Subscription

You must have an Azure subscription created and assigned to the Azure directory. The subscription must be registered with the resource provider “Microsoft.Network.”

To check this, click All services > Subscriptions

Azure Auth: Subscription ID

From here you can assign a subscription to your Azure directory, or switch Azure directories.

NOTE: Copy the Subscription ID. You will need it to create your NKS cluster.

If you don’t have a subscription set up yet, click + Add to add one.

The resource provider Microsoft.Network is not registered by default. You will need to register it. Select the subscription, then click Settings: Resource Providers.

Here you can check whether Microsoft.Network is registered. If it is not, then locate the service and click Register.

Step 4: Check Your Account’s Role for the Subscription

Your account role must be either Owner, Account Admin, or User Access Administrator. If your account role is Contributor, it won’t work.

To check this, go to Home > Subscriptions and check the My Role column.

Azure Auth: My Subscription Role

Step 5: Create an Azure Active Directory application

  • Go to Azure Active Directory > App registrations > New application registration.

  • Enter a name for the app.

  • Select Web app/API for the application type.

  • Enter the URL for the app.

  • Click Create

Step 6: Get the Application ID (Client ID)

Go to All services > filter by “app registrations” > App Registrations. If this is a new app, you will need to register it. Click New application registration > Fill out the app’s details > Save.

NOTE: Copy the Application ID. This is the Client ID you will need to create your NKS cluster.

Azure Auth: App ID

Step 7: Generate an Authentication Key

On the App Registrations page, click the app, then click Settings > Keys > Fill in the description and expiration date > Save. This will generate the key.

IMPORTANT: Copy the key value and save it. You will not be able to retrieve this key later. This is your only chance to get the auth key.

Step 8: Get the Tenant ID

Click Azure Active Directory > Properties > Directory ID. This is the Tenant ID you need to create your NKS cluster.

Azure Auth: Tenant ID

Step 9: Choose a Role and Scope for the App

Decide which built-in RBAC role offers the right permissions for your application.

For a list of all built-in RBAC roles and their permissions, see the official RBAC documentation.

Azure has three scope levels:

  • Subscription (highest)

  • Resource group

  • Resource (lowest)

Permissions are inherited by lower scope levels. For example, if you add an app to the Reader role for a resource group, the app will have Read access to that resource group and any resources it contains.

To assign the app’s scope and role:

  • Go to the scope level (subscription, resource group, or resource) you want to use for the app.

  • Click the subscription/resource group/resource the app will be assigned to.

  • Click Access Control (IAM) > + Add > Click the role > Search to find your app > Click the app > Save.

Option 2: Use the Command-Line Tool

Authentication Parameters

  • Subscription ID: Azure calls this "ID" in the output of the az login command.

  • Tenant ID: Azure calls this the Directory ID.

  • Client ID: Azure calls this the Application ID.

Log in to the Azure CLI.

az login

Follow the instructions to authenticate. After the log-in and authentication process is complete, this will output account information including the Subscription ID.

Note
The Subscription ID is labeled just "ID" in the output of the az login command.

Set the account with the subscription ID.

az account set --subscription "[subscription ID]"

For example, if the subscription ID is a123-b456-c789 the command is:

az account set --subscription "a123-b456-c789"

Create a resource group if one does not already exist.

az group create -n "[resource group name]" -l "westus"

For example, if the resource group name is myResourceGroup the command is:

az group create -n "myResourceGroup" -l "westus"

Create the service principal:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/[subscription ID]/resourceGroups/[resource group name]"

For example, if the subscription ID is a123-b456-c789 and the resource group name is myResourceGroup, the command is:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/a123-b456-c789/resourceGroups/myResourceGroup" -o table

This will output account information including the app ID.

Assign the service principal with the role Contributor:

az role assignment create --assignee [appID] --role Contributor

For example, if the app ID is 1234-5678, the command is:

az role assignment create --assignee 1234-5678 --role Contributor

Find your Azure Credentials

To create an Azure cluster through NetApp Kubernetes Service (NKS) you will need the Subscription ID, Tenant (Directory) ID, and Client (Application) ID.

Note
To create your Azure credentials, follow the steps in the official Documentation here.

Find the Subscription ID

Sign in to your Azure account through the Azure portal. Click All Services.

Azure Auth

Click Subscriptions.

Azure Auth

Copy the Subscription ID.

Azure Auth

Find the Tenant (Directory) ID

From the main Azure portal page, click Azure Active Directory.

Azure Auth

Click Properties.

Azure Auth

Copy the Directory ID.

Azure Auth

Find the Client (Application) ID

From the main Azure portal page, click All Services.

Azure Auth

Search for "app registrations." Click on App Registrations.

Azure Auth

Copy the Application ID for your application.

Azure Auth

Find the Client Password (Secret)

If you no longer have the original Client Password (Secret), you can create a new one at any time.

From the main Azure portal page, click All Services.

Azure Auth

Search for "app registrations." Click on App Registrations.

Azure Auth

Click on your application.

Azure Auth

Click Certificates and Secrets.

Azure Auth

Click +New Client Secret.

Azure Auth

Fill in the name, choose the expiration date, then click Add.

Azure Auth

Copy the new Secret and paste it in to NKS. You may also want to paste this into a text file to save on your local computer.

Azure Auth
Warning
This is the only time you will be able to view the password (secret). After you leave this page, the secret will no longer be displayed. If you lose it, you will need to follow this process again to create a new one.