Banzai Cloud Pipeline requires the following authentication parameters when managing AKS clusters:

  • AZURE SUBSCRIPTION ID: A 32-character hexadecimal dash-separated string.
  • AZURE TENANT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT ID: A 32-character hexadecimal dash-separated string.
  • AZURE CLIENT SECRET: A password generated by you.

The instructions below describe how to obtain these.

Enable AKS service

Log in to Microsot Azure Portal and ensure that Microsot’s AKS service is enabled for your subscription.

AKS Service

Install the Azure CLI

The Azure CLI is the easiest and fastest way to prepare credentials for managing AKS clusters. Install the Azure CLI by running the following command:

curl -L https://aka.ms/InstallAzureCli | bash
exec -l $SHELL
az login

Follow the instructions to authenticate. After the login and authentication process is complete, you will receive account information including your id—which is your subscription ID—and tenantId.

Note: you can query your subscription and tenant ID at any time by using the following commands:

az account show --query id # subscription ID
az account show --query tenantId # tenant ID

Create admin role

Create an Azure role that contains all the rights necessary to manage an AKS cluster.

Save the following role definition to a JSON file (e.g. aksadminrole.json):

{
  "Name": "AKS Admin",
  "Description": "Perform AKS cluster create/read/update/delete actions",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Billing/*",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}"
  ]
}

Replace {subscriptionId} with your subscription ID.

Create the role using:

az role definition create --verbose --role-definition @aksadminrole.json

Create service principal

Create a service principal and assign it to the previously created role by using the following command:

az ad sp create-for-rbac --name "AKSAdminSP" --role "AKS Admin"

This will print information about the created service principal, including appId and password.

Authentication parameter mapping:

AZ output field Authentication parameter
appId AZURE CLIENT ID
password AZURE CLIENT SECRET
az account show --query tenantId AZURE TENANT ID
az account show --query id AZURE SUBSCRIPTION ID

Note: If creating a custom role is not an option then the required access rights must be assigned directly to the service principal using Azure’s built-in roles.

Warning: While this is an option we do not recommend it as the Azure built-in roles used below provide wider access rights within the scope of the subscription than needed:

az ad sp create-for-rbac --name "AKSAdminSP" --skip-assignment
az role assignment create --role "User Access Administrator" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxx
az role assignment create --role "Owner" --assignee "http://AKSAdminSP" --scope /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxx

Register required services

AKS requires the following services to be pre-registered:

  • Microsoft.Compute
  • Microsoft.ContainerService
  • Microsoft.Network
  • Microsoft.Storage

Previously registered services can be listed by running the following command:

az provider list --query "[?registrationState=='Registered'].{Provider:namespace, Status:registrationState}" --out table

To register the required services execute:

az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.Storage

It may take some time for these service registrations to propagate through the necessary zones and datacenters.

You can check the status of each individual service with the command:

az provider show -n {{service provider name}} -o table

(e.g.: az provider show -n Microsoft.ContainerService -o table)

Troubleshooting

When your service principal’s credential has expired an error message like the following will appear:

authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 ...

The solution is to reset the credential of the service principal with the following command:

az ad sp credential reset --name "AKSAdminSP"

This will print your new service principal information, including the new password. You have to update the Pipeline secret with this new password.

You could get the same error message when the service principal’s assigned role has changed and it does not have the required permissions anymore. In this case, you should check whether the service principal still has the necessary permissions either through its roles or directly assigned.