Creating and Assigning IAM Roles

This topic provides instructions for creating the Identity and Access Management (IAM) roles that are needed to supply the necessary permissions for creating and managing the AKS cluster and using the cluster to deploy applications.

AKS is typically configured to use Azure Active Directory (AD) for user authentication. AKS integration with Azure AD is optional but highly recommended. For more information, see Azure Active Directory Integration in the AKS documentation.

There are two custom roles that need to be created in Azure to grant the necessary permissions to the following two types of AKS users:

  1. The first type of user is the user who sets up the K8s infrastructure, i.e., the user who configures, creates, and maintains the AKS cluster and node pools. This policy is called the AKS Cluster Admin.
  2. The second type of user is the user who connects to the AKS cluster and deploys the dynamic Anzo applications. Typically this user is Anzo. Since Anzo communicates with the K8s services that provision the applications, the Anzo service principal needs to be granted certain privileges. This user role is called the AKS Cluster Developer.

    The enterprise-level Anzo service principal is a requirement for the Anzo installation and is typically in place before Anzo is installed. For more information, see Platform Service User Account Requirements.

This topic provides instructions for creating the two roles and gives guidance on assigning the roles to the appropriate users, groups, or service principals.

Create and Assign the AKS Cluster Admin Role

The following IAM role applies the minimum permissions needed for an AKS Cluster Admin who will create and manage the AKS cluster and node pools. Follow the instructions below to create the role and assign it to the user, group, or service principal that will be used when creating the K8s infrastructure.

The az file package on the workstation includes the configuration file that defines the AKS Cluster Admin role: az/permissions/aks_admin_role.json.

  1. Open the az/permissions/aks_admin_role.json file for editing. At the bottom of the file, replace <subscription_id> with the ID for the subscription to attach the new AKS Cluster Admin role to. Then save and close the file. The contents of aks_admin_role.json are shown below:
    {
      "Name": "AKS Cluster Admin",
      "IsCustom": true,
      "Description": "AKS cluster admin role.",
      "Actions": [
          "Microsoft.Resources/subscriptions/resourcegroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/write",
          "Microsoft.Resources/subscriptions/resourcegroups/delete",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Network/virtualNetworks/delete",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/subnets/delete",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/publicIPPrefixes/read",
          "Microsoft.Network/publicIPPrefixes/write",
          "Microsoft.Network/publicIPPrefixes/delete",
          "Microsoft.Network/publicIPPrefixes/join/action",
          "Microsoft.Authorization/roleAssignments/read",
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Resources/deployments/write",
          "Microsoft.ContainerService/managedClusters/read",
          "Microsoft.ContainerService/managedClusters/write",
          "Microsoft.ContainerService/managedClusters/delete",
          "Microsoft.ContainerService/managedClusters/agentPools/read",
          "Microsoft.ContainerService/managedClusters/agentPools/write",
          "Microsoft.ContainerService/managedClusters/agentPools/delete",
          "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationsManagement/solutions/write",
          "Microsoft.OperationalInsights/workspaces/read",
          "Microsoft.OperationalInsights/workspaces/sharedkeys/read",
          "Microsoft.ContainerRegistry/registries/read"
      ],
      "NotActions": [
    
      ],
      "AssignableScopes": [
        "/subscriptions/<subscription_id>"
      ]
    }
  2. Next, run the following Azure CLI command to create a custom role definition based on aks_admin_role.json. For information about managing role definitions, see az role definition in the Azure CLI documentation.
    az role definition create --role-definition cluster-admin-role.json
  3. Once the role is defined in Azure, run the following command to assign the role to the user, group, or service principal who will create and manage the AKS cluster. For information about managing role assignments, see az role assignment in the Azure CLI documentation.
    az role assignment create --assignee "<user_group_or_sp_name_or_id>" --role "<role_name_or_id>"

Create and Assign the AKS Cluster Developer Role

The following IAM role applies the minimum permissions needed for the AKS Cluster Developer role. Follow the instructions below to create the role and assign it to the Anzo service account.

The az file package on the workstation includes the configuration file that defines the AKS Cluster Developer role: az/permissions/cluster_developer_role.json.

  1. Open the az/permissions/cluster_developer_role.json file for editing. At the bottom of the file, replace <subscription_id> with the ID for the subscription to attach the new AKS Cluster Developer role to. Then save and close the file. The contents of cluster_developer_role.json are shown below:
    {
      "Name": "AKS Cluster Developer",
      "IsCustom": true,
      "Description": "AKS cluster developer role.",
      "Actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "NotActions": [
    
      ],
      "AssignableScopes": [
        "/subscriptions/<subscription_id>"
      ]
    }
  2. Next, run the following Azure CLI command to create a custom role definition based on cluster_developer_role.json.
    az role definition create --role-definition cluster_developer_role.json

    For more information about managing role definitions in Azure, see az role definition in the Azure CLI documentation.

  3. Once the role is defined in Azure, run the following command to assign the role to the Anzo service principal.
    az role assignment create --assignee "<anzo_sp>" --role "<role_name_or_id>"

    For more information about managing role assignments in Azure, see az role assignment in the Azure CLI documentation.

Once the IAM roles are in place and users are granted access, proceed to Creating the AKS Cluster for instructions on configuring and creating the cluster.