Azure Credentials and Permissions Edit on GitHub Request doc changes

Contributors ebarcott akseldavis

To create an Azure cluster through NetApp Kubernetes Service (NKS), you will need to get your Azure credentials and verify that you have the correct permissions. You can do this either through the Azure portal or the Azure CLI.

To use this feature, you will need an NKS account. If you don’t have one already, you can sign up for a free 30-day trial with no credit card required at https://nks.netapp.io.

After you add your Azure credentials to your NKS account, click here to learn how to create a Kubernetes cluster on Azure

Shortcut: Find Your Azure Credentials

  • Subscription ID: All Services > Subscriptions > Subscription ID

  • Tenant ID (Azure calls this the Directory ID): Azure Active Directory > Properties > Directory ID

  • Client ID (Azure calls this the Application ID): All Services > Filter by “app registrations” > App Registrations > Click your application > Copy the Application ID

  • Client Password (Azure calls this the Client Secret): All Services > Filter by “app registrations” > App Registrations > Click your application > Certificates & Secrets > Client Secrets > New client secret

Step 1: Check Your Permissions

Before you begin, or if you get a permissions error, you will want to go through your Azure account to check all of your permissions.

Azure User Permissions

Log in to the Azure portal, then go to Azure Active Directory > User settings > App Registrations.

Azure Auth: App Registrations
  • If “Users can register applications” is set to Yes, you can proceed.

  • If “Users can register applications” is set to No, only global administrators can register apps.

Azure Account Permissions

Click Azure Active Directory > Overview to check your account permissions. In this example, the account’s role is User.

Azure Auth: User Role
  • If your account is assigned to the Global administrator role, you can proceed.

  • If your account is assigned to the User role, and “Users can register applications” is set to Yes, you can proceed.

  • If your account is assigned to the User role, and “Users can register applications” is set to No, you will NOT be able to register an app. You have two options:

    1. Ask your administrator to assign your account to the Global administrator role.

    2. Ask your administrator to enable users to register apps.

Azure Subscription Resource Providers

You must have an Azure subscription created and assigned to the Azure directory. In order to work, the subscription must be registered with the resource provider Microsoft.Network.

To check this, click All services > Subscriptions

Azure Auth: Subscription ID
Note
Copy the Subscription ID. You will need it to create your NKS cluster.

The resource provider Microsoft.Network is not registered by default. You will need to register it. Select the subscription, then click Settings: Resource Providers.

Azure Auth: Subscription ID

Here you can check whether Microsoft.Network is registered. If not, find the service and click Register.

Note
The providers Microsoft.Storage and Microsoft.Compute should also be registered by default. If these have not been registered, find them on the list and register them.

Azure Account’s Subscription Role

Your account role for the subscription can be Owner, Account Admin, or User Access Administrator, but NOT Contributor.

To check this, go to All Services > Subscriptions and check the My Role column.

Azure Auth: My Subscription Role

Step 2: Create an Azure Application

If you don’t already have an app, go to Azure Active Directory > App registrations then click New registration to create a new one.

Azure Auth: Add an new app registration

In the pop-up window which appears:

  • Enter a name for the app.

  • Choose the supported account type (Single Tenant, Multitenant, or Multitenant and Personal).

  • Set the Redirect URI (optional).

  • Click Register.

This redirects you to the new application’s information page.

Note
Copy the Application ID. This is the Client ID you will need to create your NKS cluster.

Next, give your app a role assignment.

Go to All services > Subscriptions. Click the subscription you want to use for the app.

Azure Auth: Subscription ID

Click Access Control (IAM) > +Add. In the drop-down menu which appears, choose Add role assignment.

In the pop-up window which appears:

  • Choose Contributor for the role.

  • Leave the Assign access to drop-down menu at the default choice, Azure AD user, group, or service principal.

  • Search for your app by pasting the App ID into the Select field.

Your app will appear in the search results. Click your app, then click Save.

Step 3: Create a Client Password (Client Secret)

On the App Registrations page, click your app, then click Certificates & Secrets > +New client secret.

Azure Auth: Create new client secret

Fill in the description and expiration date, then click Add to generate the key.

Important
Copy and save the Client Secret. This is the Client Password you will need to create your NKS cluster. You will not be able to view the Client Secret after you leave this page.

If you lose your Client Secret, you will need to create a new one.

Find Your Existing Azure Credentials

To create an Azure cluster through NetApp Kubernetes Service (NKS) you will need the Subscription ID, Tenant (Directory) ID, and Client (Application) ID.

Shortcut: Find Your Azure Credentials

  • Subscription ID: All Services > Subscriptions > Subscription ID

  • Tenant ID (Azure calls this the Directory ID): Azure Active Directory > Properties > Directory ID

  • Client ID (Azure calls this the Application ID): All Services > Filter by “app registrations” > App Registrations > Click your application > Copy the Application ID

  • Client Password (Azure calls this the Client Secret): All Services > Filter by “app registrations” > App Registrations > Click your application > Certificates & Secrets > Client Secrets > New client secret

Find Your Azure Subscription ID

Sign in to your Azure account through the Azure portal. Go to All services > Subscriptions and copy the Subscription ID.

Azure Auth: Subscription ID

Find Your Azure Tenant ID

Click Azure Active Directory > Properties > Directory ID. This is the Tenant ID you need to create your NKS cluster.

Azure Auth: Tenant ID

Find Your Azure Client ID

Go to Azure Active Directory > App registrations. Copy the Application ID. This is the Client ID you will need to create your NKS cluster.

Azure Auth: App ID

Find Your Azure Client Password (Secret)

Go to Azure Active Directory > App Registrations. Click your app, then click Certificates & Secrets > +New client secret.

Azure Auth: Create new client secret

Fill in the description and expiration date, then click Add to generate the key.

Important
Copy and save the Client Secret. This is the Client Password you will need to create your NKS cluster. You will not be able to view the Client Secret after you leave this page.

If you lose your Client Secret, you will need to create a new one.

Use the Azure CLI

Authentication Parameters

  • Subscription ID: Azure calls this "ID" in the output of the az login command.

  • Tenant ID: Azure calls this the Directory ID.

  • Client ID: Azure calls this the Application ID.

Log in to the Azure CLI.

az login

Follow the instructions to authenticate. After the log-in and authentication process is complete, this will output account information including the Subscription ID.

Note
The Subscription ID is labeled "ID" in the output of the az login command.

Set the account with the subscription ID.

az account set --subscription "[subscription ID]"

For example, if the subscription ID is a123-b456-c789 the command is:

az account set --subscription "a123-b456-c789"

Create a resource group if one does not already exist.

az group create -n "[resource group name]" -l "westus"

For example, if the resource group name is myResourceGroup the command is:

az group create -n "myResourceGroup" -l "westus"

Create the service principal:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/[subscription ID]/resourceGroups/[resource group name]"

For example, if the subscription ID is a123-b456-c789 and the resource group name is myResourceGroup, the command is:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/a123-b456-c789/resourceGroups/myResourceGroup" -o table

This will output account information including the app ID.

Assign the service principal with the role Contributor:

az role assignment create --assignee [appID] --role Contributor

For example, if the app ID is 1234-5678, the command is:

az role assignment create --assignee 1234-5678 --role Contributor

Did this article answer your question? If not, contact us.