You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: AKS-Arc/azure-rbac-23h2.md
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,8 @@ ms.custom: devx-track-azurecli
6
6
author: sethmanheim
7
7
ms.author: sethm
8
8
ms.reviewer: leslielin
9
-
ms.date: 07/26/2024
10
-
ms.lastreviewed: 07/26/2024
9
+
ms.date: 02/21/2025
10
+
ms.lastreviewed: 02/21/2025
11
11
12
12
# Intent: As an IT Pro, I want to use Azure RBAC to authenticate connections to my AKS clusters over the Internet or on a private network.
13
13
# Keyword: Kubernetes role-based access control AKS Azure RBAC AD
@@ -46,9 +46,15 @@ Before you begin, make sure you have the following prerequisites:
46
46
```
47
47
48
48
- To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html).
49
-
- You need the following permissions to enable Azure RBAC while creating a Kubernetes cluster:
50
-
- To create a Kubernetes cluster, you need the **Azure Kubernetes Service Arc Contributor** role.
51
-
- To use the `--enable-azure-rbac` parameter, you need the **Role Based Access Control Administrator** role for access to the **Microsoft.Authorization/roleAssignments/write** permission. For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles/general).
49
+
- The following permissions are required to enable Azure RBAC when creating a Kubernetes cluster:
50
+
- To create a Kubernetes cluster, the [**Azure Kubernetes Service Arc Contributor**](/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-service-arc-contributor-role) role is required.
51
+
- To use the `--enable-azure-rbac` parameter, the [**Role Based Access Control Administrator**](/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator) role is required for access to the **Microsoft.Authorization/roleAssignments/write** permission.
52
+
- To assign these roles, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) CLI command, or follow [Assign Azure roles using Azure CLI](/azure/role-based-access-control/role-assignments-cli):
53
+
54
+
```azurecli
55
+
az role assignment create --assignee <assignee-object-id> --role <role-name-or-id> --scope $ARM_ID
56
+
```
57
+
52
58
- New role assignments can take up to five minutes to propagate and be updated by the authorization server.
53
59
- Once Azure RBAC is enabled, you can access your Kubernetes cluster with the given permissions using either direct mode or proxy mode.
54
60
- To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permission.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments