OSDOCS#5126: Using an Azure managed identity as an alternative to a service principal

Author: mjpytlak

installing/installing_azure/installing-azure-account.adoc

@@ -6,8 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Before you can install {product-title}, you must configure a Microsoft Azure
-account.
+Before you can install {product-title}, you must configure a Microsoft Azure account to meet installation requirements.
 
 [IMPORTANT]
 ====
@@ -29,11 +28,13 @@ include::modules/installation-azure-network-config.adoc[leveloffset=+1]
 
 include::modules/installation-azure-increasing-limits.adoc[leveloffset=+1]
 
-include::modules/installation-azure-permissions.adoc[leveloffset=+1]
+include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+1]
 
-include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+1]
+include::modules/installation-azure-identities.adoc[leveloffset=+1]
 
-include::modules/installation-azure-service-principal.adoc[leveloffset=+1]
+include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+2]
+include::modules/installation-using-azure-managed-identities.adoc[leveloffset=+2]
+include::modules/installation-creating-azure-service-principal.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources

installing/installing_azure/installing-azure-user-infra.adoc

@@ -57,9 +57,15 @@ include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2]
 
 include::modules/csr-management.adoc[leveloffset=+2]
 
-include::modules/installation-azure-permissions.adoc[leveloffset=+2]
+include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+2]
+
+include::modules/installation-azure-identities.adoc[leveloffset=+2]
+
 include::modules/minimum-required-permissions-upi-azure.adoc[leveloffset=+2]
-include::modules/installation-azure-service-principal.adoc[leveloffset=+2]
+
+include::modules/installation-using-azure-managed-identities.adoc[leveloffset=+2]
+
+include::modules/installation-creating-azure-service-principal.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources

modules/installation-azure-identities.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_azure/installing-azure-account.adoc
+
+:_content-type: CONCEPT
+[id="installation-azure-identities_{context}"]
+= Supported identities to access Azure resources
+
+An {product-title} cluster requires an Azure identity to create and manage Azure resources. As such, you need one of the following types of identities to complete the installation:
+
+* A service principal
+* A system-assigned managed identity
+* A user-assigned managed identity

modules/installation-azure-subscription-tenant-id.adoc

@@ -0,0 +1,121 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_azure/installing-azure-account.adoc
+
+:_content-type: PROCEDURE
+[id="installation-azure-subscription-tenant-id_{context}"]
+= Recording the subscription and tenant IDs
+
+The installation program requires the subscription and tenant IDs that are associated with your Azure account. You can use the Azure CLI to gather this information.
+
+.Prerequisites
+
+* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[Azure CLI].
+
+.Procedure
+
+. Log in to the Azure CLI by running the following command:
++
+[source,terminal]
+----
+$ az login
+----
+
+. Ensure that you are using the right subscription:
+
+.. View a list of available subscriptions by running the following command:
++
+[source,terminal]
+----
+$ az account list --refresh
+----
++
+.Example output
+[source,terminal]
+----
+[
+  {
+    "cloudName": "AzureCloud",
+    "id": "8xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "isDefault": true,
+    "name": "Subscription Name 1",
+    "state": "Enabled",
+    "tenantId": "6xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "user": {
+      "name": "[email protected]",
+      "type": "user"
+    }
+  },
+  {
+    "cloudName": "AzureCloud",
+    "id": "9xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "isDefault": false,
+    "name": "Subscription Name 2",
+    "state": "Enabled",
+    "tenantId": "7xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "user": {
+      "name": "[email protected]",
+      "type": "user"
+    }
+  }
+]
+----
+
+.. View the details of the active account, and confirm that this is the subscription you want to use, by running the following command:
++
+[source,terminal]
+----
+$ az account show
+----
++
+.Example output
+[source,terminal]
+----
+{
+  "environmentName": "AzureCloud",
+  "id": "8xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "isDefault": true,
+  "name": "Subscription Name 1",
+  "state": "Enabled",
+  "tenantId": "6xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "user": {
+    "name": "[email protected]",
+    "type": "user"
+  }
+}
+----
+
+. If you are not using the right subscription:
+
+.. Change the active subscription by running the following command:
++
+[source,terminal]
+----
+$ az account set -s <subscription_id>
+----
+
+.. Verify that you are using the subscription you need by running the following command:
++
+[source,terminal]
+----
+$ az account show
+----
++
+.Example output
+[source,terminal]
+----
+{
+  "environmentName": "AzureCloud",
+  "id": "9xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "isDefault": true,
+  "name": "Subscription Name 2",
+  "state": "Enabled",
+  "tenantId": "7xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "user": {
+    "name": "[email protected]",
+    "type": "user"
+  }
+}
+----
+
+. Record the `id` and `tenantId` parameter values from the output. You require these values to install an {product-title} cluster.

modules/installation-creating-azure-service-principal.adoc

@@ -0,0 +1,57 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_azure/installing-azure-account.adoc
+
+:_content-type: PROCEDURE
+[id="installation-creating-azure-service-principal_{context}"]
+= Creating a service principal
+
+The installation program requires an Azure identity to complete the installation. You can use a service principal.
+
+If you are unable to use a service principal, you can use a managed identity.
+
+.Prerequisites
+
+* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[Azure CLI].
+* You have an Azure subscription ID.
+* If you are not going to assign the the `Contributor` and `User Administrator Access` roles to the service principal, you have created a custom role with the required Azure permissions.
+
+.Procedure
+
+. Create the service principal for your account by running the following command:
++
+[source,terminal]
+----
+$ az ad sp create-for-rbac --role <role_name> \// <1>
+     --name <service_principal> \// <2>
+     --scopes /subscriptions/<subscription_id> <3>
+----
+<1> Defines the role name. You can use the `Contributor` role, or you can specify a custom role which contains the necessary permissions.
+<2> Defines the service principal name.
+<3> Specifies the subscription ID.
++
+.Example output
+[source,terminal]
+----
+Creating 'Contributor' role assignment under scope '/subscriptions/<subscription_id>'
+The output includes credentials that you must protect. Be sure that you do not
+include these credentials in your code or check the credentials into your source
+control. For more information, see https://aka.ms/azadsp-cli
+{
+  "appId": "axxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "displayName": <service_principal>",
+  "password": "00000000-0000-0000-0000-000000000000",
+  "tenantId": "8xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+----
+
+. Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster.
+
+. If you applied the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command:
++
+[source,terminal]
+----
+$ az role assignment create --role "User Access Administrator" \
+  --assignee-object-id $(az ad sp show --id <appId> --query id -o tsv) <1>
+----
+<1> Specify the `appId` parameter value for your service principal.

modules/installation-initializing.adoc

@@ -210,30 +210,40 @@ endif::nutanix[]
 
 .Prerequisites
 
-* Obtain the {product-title} installation program and the pull secret for your cluster.
+* You have the {product-title} installation program and the pull secret for your cluster.
 ifdef::restricted[]
 For a restricted network installation, these files are on your mirror host.
 ifndef::nutanix[]
-* Have the `imageContentSources` values that were generated during mirror registry creation.
+* You have the `imageContentSources` values that were generated during mirror registry creation.
 endif::nutanix[]
 ifdef::nutanix+restricted[]
-* Have the `imageContentSourcePolicy.yaml` file that was created when you mirrored your registry.
-* Have the location of the {op-system-first} image you download.
+* You have the `imageContentSourcePolicy.yaml` file that was created when you mirrored your registry.
+* You have the location of the {op-system-first} image you download.
 endif::nutanix+restricted[]
-* Obtain the contents of the certificate for your mirror registry.
+* You have obtained the contents of the certificate for your mirror registry.
 ifndef::aws,gcp[]
-* Retrieve a {op-system-first} image and upload it to an accessible location.
+* You have retrieved a {op-system-first} image and uploaded it to an accessible location.
 endif::aws,gcp[]
 endif::restricted[]
-ifndef::nutanix[]
-* Obtain service principal permissions at the subscription level.
-endif::nutanix[]
+ifdef::azure[]
+* You have an Azure subscription ID and tenant ID.
+* If you are installing the cluster using a service principal, you have its application ID and password.
+* If you are installing the cluster using a system-assigned managed identity, you have enabled it on the virtual machine that you will run the installation program from.
+* If you are installing the cluster using a user-assigned managed identity, you have met these prerequisites:
+** You have its client ID.
+** You have assigned it to the virtual machine that you will run the installation program from.
+endif::azure[]
 ifdef::nutanix[]
-* Verify that you have met the Nutanix networking requirements. For more information, see "Preparing to install on Nutanix".
+* You have verified that you have met the Nutanix networking requirements. For more information, see "Preparing to install on Nutanix".
 endif::nutanix[]
 
 .Procedure
 
+ifdef::azure[]
+. Optional: If you have run the installation program on this computer before, and want to use an alternative service principal or managed identity, go to the `~/.azure/` directory and delete the `osServicePrincipal.json` configuration file.
++
+Deleting this file prevents the installation program from automatically reusing subscription and authentication values from a previous installation.
+endif::azure[]
 . Create the `install-config.yaml` file.
 +
 .. Change to the directory that contains the installation program and run the following command:
@@ -248,7 +258,13 @@ files that the installation program creates.
 When specifying the directory:
 * Verify that the directory has the `execute` permission. This permission is required to run Terraform binaries under the installation directory.
 * Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier {product-title} version.
-
+.. At the prompts, provide the configuration details for your cloud:
+... Optional: Select an SSH key to use to access your cluster machines.
++
+[NOTE]
+====
+For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
+====
 ifdef::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
 ... Select *alibabacloud* as the platform to target.
 ... Select the region to deploy the cluster to.
@@ -265,16 +281,19 @@ installation program.
 endif::aws[]
 ifdef::azure[]
 ... Select *azure* as the platform to target.
-... If you do not have a Microsoft Azure profile stored on your computer, specify the
-following Azure parameter values for your subscription and service principal:
-**** *azure subscription id*: The subscription ID to use for the cluster.
-Specify the `id` value in your account output.
-**** *azure tenant id*: The tenant ID. Specify the `tenantId` value in your
-account output.
-**** *azure service principal client id*: The value of the `appId` parameter
-for the service principal.
-**** *azure service principal client secret*: The value of the `password`
-parameter for the service principal.
++
+If the installation program cannot locate the `osServicePrincipal.json` configuration file from a previous installation, you are prompted for Azure subscription and authentication values.
+... Enter the following Azure parameter values for your subscription:
+**** *azure subscription id*: Enter the subscription ID to use for the cluster.
+**** *azure tenant id*: Enter the tenant ID.
+... Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the *azure service principal client id*:
+**** If you are using a service principal, enter its application ID.
+**** If you are using a system-assigned managed identity, leave this value blank.
+**** If you are using a user-assigned managed identity, specify its client ID.
+... Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the *azure service principal client secret*:
+**** If you are using a service principal, enter its password.
+**** If you are using a system-assigned managed identity, leave this value blank.
+**** If you are using a user-assigned managed identity, leave this value blank.
 ... Select the region to deploy the cluster to.
 ... Select the base domain to deploy the cluster to. The base domain corresponds
 to the Azure DNS Zone that you created for your cluster.
@@ -558,6 +577,10 @@ The `install-config.yaml` file is consumed during the installation process. If
 you want to reuse the file, you must back it up now.
 ====
 
+ifdef::azure[]
+If previously not detected, the installation program creates an `osServicePrincipal.json` configuration file and stores this file in the `~/.azure/` directory on your computer. This ensures that the installation program can load the profile when it is creating an {product-title} cluster on the target platform.
+endif::azure[]
+
 ifdef::osp-user[You now have the file `install-config.yaml` in the directory that you specified.]
 
 ifeval::["{context}" == "installing-alibaba-default"]