Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can use an Azure AD Service Principal to give Azure CycleCloud permission to manage clusters in your subscription. This approach serves as an alternative to using a Managed Identity.
We generally recommend using either a System-Assigned or User-Assigned Managed Identity to grant these permissions instead of a Service Principal.
Create a service principal
Azure CycleCloud needs a service principal with rights to manage your Azure subscription. If you don't have a service principal, you can create one with the Azure CLI as shown in the following example.
Note
Your service principal name must be unique. In the following example, CycleCloudApp should be replaced with a unique name. If you run the command with an existing name, it replaces and invalidates the existing service principal.
az ad sp create-for-rbac --name CycleCloudApp --years 1
The output displays a series of information. Save the appId, password, and tenant values:
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "CycleCloudApp",
"name": "http://CycleCloudApp",
"password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Permissions
The simplest option, with sufficient access rights, is to assign the Contributor role for the subscription to the new CycleCloud service principal. However, the Contributor role has a higher privilege level than CycleCloud requires. Instead, you can create and assign a custom role to the VM.
The Managed Identity Guide has details on creating an appropriate lower-privilege AD Role for the Service Principal.
To use a Service Principle to give permissions to CycleCloud, ensure that you select the App Registration option.
