Data Integration Elastic Administration > Microsoft Azure integration tasks > Create the managed identity used to create the cluster
  

Create the managed identity used to create the cluster

To create the managed identity that the Secure Agent uses to create an elastic cluster, complete the following tasks:
  1. 1. Create a managed identity.
  2. 2. Optionally, create a cluster resource group.
  3. 3. Create an agent role for the managed identity.
  4. 4. Integrate the managed identity, agent role, and Secure Agent.
For more information about the managed identity, see Security principals.

Step 1. Create a managed identity

In Azure, create a managed identity that the Secure Agent can use to log in to Azure and to create an elastic cluster on Microsoft Azure.
For more information about the managed identity, see Security principals.

Step 2. Create a cluster resource group

Optionally, create a cluster resource group to limit the Secure Agent's scope on your Azure account.
In Azure, create a cluster resource group that holds the following resources:

Step 3. Create an agent role for the managed identity

Create an agent role that contains a minimal set of permissions for the managed identity that the Secure Agent uses to create the cluster.
In Azure, create a custom role with the following set of permissions:
{
"properties":{
"roleName":"Agent Role",
"description":"",
"assignableScopes":[
"/subscriptions/<subscription ID>/resourceGroups/<cluster resource group>"
],
"permissions":[
{
"actions":[
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/instanceView/read"
"Microsoft.Authorization/roleAssignments/read"
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions":[],
"dataActions":[],
"notDataActions":[]
}
]
}
}
Specify the cluster resource group that you created as the scope. If you did not create a resource group, limit the scope to the subscription.
The following table provides more information about the actions associated with the permissions:
Action
Description
Microsoft.Resources/subscriptions/resourcegroups/read
Required. Checks if the cluster resource group exists.
Microsoft.Resources/subscriptions/resourcegroups/write
Microsoft.Resources/subscriptions/resourcegroups/delete
Only required when the cluster resource group is not specified in the elastic configuration.
If the cluster resource group is not specified in the elastic configuration, then the Secure Agent creates a new resource-group in a subscription named <cluster-instance-id>-rg.
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/listKeys/action
Required. Lists storage account keys and performs Blob operations. These actions assume that the staging storage account is within the cluster resource group.
Microsoft.Compute/virtualMachineScaleSets/delete
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Compute/virtualMachineScaleSets/read
Required. Discovers and manages virtual machine scale sets (VMSS) for master and worker nodes.
Microsoft.Network/loadBalancers/delete
Microsoft.Network/loadBalancers/write
Microsoft.Network/loadBalancers/read
Required. Discovers and manages load-balancer used for API-server endpoint.
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/read
Required. Discovers and manages network security groups created for master and worker nodes. If the network security group (NSG) is attached to a subnet, these permissions override rules specified in the subnet.
Microsoft.Network/virtualNetworks/read
Required. Discovers the VNet for an elastic cluster.
Microsoft.Network/virtualNetworks/delete
Microsoft.Network/virtualNetworks/write
Required when a VNet is not specified in the cluster asset.
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/join/action
Required. Discovers and manages the public IP address associated with the cluster end-point. The join action is required to let the load-balancer use this public IP address.
Microsoft.Network/virtualNetworks/subnets/join/action
Required. Allows master and worker nodes to join a specific subnet. This permission is required for any form of VNet setting.
Microsoft.Network/networkSecurityGroups/join/action
Required. Allows the master and worker nodes to attach a pre-created network security group (NSG).
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Required. Allows the master and worker nodes to be added to a cluster end-point. Master nodes are added to the cluster end-point during cluster provisioning.
Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read
Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
Required. Used by the Secure Agent to get the IP addresses assigned to the master and worker nodes. The Secure Agent uses these permissions to connect to master nodes using SSH and download the kubeconfig file for a given cluster.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/instanceView/read
Required. Checks the master and worker node status.
Microsoft.Compute/virtualMachineScaleSets/manualupgrade/action
Required when you use the initialization script.
Also required to manually update the master and worker nodes to apply a script extension.
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleDefinitions/read
Required. Validates the elastic configuration.

Using the subscription as the scope

If you limit the scope of the agent role to the subscription and you do not create a cluster resource group, add the following actions:
Microsoft.Resources/subscriptions/resourcegroups/write
Microsoft.Resources/subscriptions/resourcegroups/delete

Using your own VNet

If you use your own VNet to host the cluster and either the VNet is part of the cluster resource group or the agent role applies to the subscription, add the following actions:
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
If the cluster resource group is different from the resource group that holds the VNet and the scope of the agent role applies to the cluster resource group, create a separate VNet role that contains the following set of permissions:
{
"properties":{
"roleName":"VNet Role",
"description":"",
"assignableScopes":[
"/subscriptions/<subscription ID>/resourceGroups/<VNet resource group>"
],
"permissions":[
{
"actions":[
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write"
],
"notActions":[

],
"dataActions":[

],
"notDataActions":[

]
}
]
}
}

Step 4. Integrate the managed identity, agent role, and Secure Agent

Integrate the managed identity, agent role, and Secure Agent so that the Secure Agent can use the permissions in the agent role to log in to Azure and to create an elastic cluster.
In Azure, complete the following tasks:
  1. 1. Assign the agent role to the managed identity.
  2. 2. If you created a VNet role, assign the VNet role to the managed identity.
  3. 3. Assign the managed identity to the Secure Agent machine.