Journey into Kubernetes - Azure: Service Principal


2 min read

In the previous article we covered the basics of Azure CLI. Now, let's use the CLI to create some objects in Azure.

To provision a Kubernetes (K8s) cluster and hook it up to the Azure Container Registry (ACR), we need to create a new Service Principal (SP). When using the CLI, we use our Azure account, but for applications to be able to do anything, they need their own identity. That's where the SP comes in.

The following command will create a new SP in your Azure's Active Directory under Applications:

az ad sp create-for-rbac -n KubernetesSP --years 5 --skip-assignment

The --skip-assignment flag is important. Usually, SPs are created with permissions to everything in the subscription. However, we don't need our SP to do anything other than access the ACR. We can manually add this permission in the next few steps. Not adding all the permissions secures the SP from being misused in case of there being a security breach in the cluster. Not that I've ever heard of that happening... but you know, POLP.

You'll get a result JSON which contains two important fields, appId and password. Copy these somewhere because we'll use them shortly.

  "appId": "some guid here",
  "password": "some string here",

Once created, we can let the new SP access ACR. First we must get the ACR Id:

az acr show -n CoolContainerRegistry --query id -o tsv

See how we used both the --query and -o (--output) flags here to narrow down what we're looking for? Handy! Okay, but we need to use this, so let's store it in a variable. Assuming you're using Powershell, you can just do this:

$acrId = az acr show -n CoolContainerRegistry --query id -o tsv

Now, we want to add the Reader role to the SP. In the following command we'll create a Role assignment (Reader) for an assignee (Service Principal) with the scope (Container Registry). We're saying, "SP can Read the Container Registry". This is a bit of a loaded command, but I hope I explained it well.

az role assignment create --assignee <appIdOfServicePrincipal> --role Reader --scope $acrId

Replace <appIdOfServicePrincipal> with the Id of the SP.

You now have a SP which can access the ACR! In the next article we'll finally get started with creating the K8s cluster. We'll use this SP, so keep the appId and password handy.


Did you find this article valuable?

Support Paul K by becoming a sponsor. Any amount is appreciated!