Data Integration Elastic Administration > Microsoft Azure integration tasks > Create the service principal for cluster operations
  

Create the service principal for cluster operations

To create the service principal that the elastic cluster uses to perform cluster operations, complete the following tasks:
  1. 1. Create a service principal.
  2. 2. Create a cluster role for the service principal.
  3. 3. Integrate the service principal, cluster role, and managed identity.
For more information about the service principal, see Security principals.

Step 1. Create a service principal

In Azure, create a service principal that you will specify in an elastic configuration. Store the service principal credentials in a key vault.

Step 2. Create a cluster role for the service principal

Create a cluster role that contains a minimal set of permissions for the service principal to perform cluster operations.
In Azure, create a custom role with the following set of permissions:
{
"properties":{
"roleName":"Cluster Role",
"description":"",
"assignableScopes":[
"/subscriptions/<subscription ID>/resourceGroups/<cluster resource group>"
],
"permissions":[
{
"actions":[
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/delete/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write"
],
"notActions":[],
"dataActions":[],
"notDataActions":[]
}
]
}
}
Specify the cluster resource group that you created as the scope. If you did not create a resource group, limit the scope to the subscription.
The following table provides more information about the actions associated with the permissions:
Action
Description
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/networkSecurityGroups/join/action
Required. Used by the Secure Agent to discover cluster resources.
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachineScaleSets/instanceView/read
Required. Used by the Secure Agent to discover master and worker nodes running in Azure.
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Network/networkSecurityGroups/join/action
Required when the cluster auto-scales to add a worker node to the cluster.
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
Microsoft.Compute/disks/delete
Required when storage auto-scales.
These permissions manage disks on Azure.
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write
Required when the storage and cluster auto-scales.
These permissions attach Azure disks to worker nodes.
Microsoft.Network/virtualNetworks/subnets/join/action
Required when the storage and cluster auto-scale.
Microsoft.Network/networkSecurityGroups/join/action
Required when the storage and cluster auto-scale.
The Secure Agent uses this permission to update the metadata attached to master and worker nodes.

Step 3. Integrate the service principal, cluster role, and managed identity

Integrate the service principal, agent role, and managed identity so that the elastic cluster can use the service principal to perform cluster operations.
In Azure, complete the following tasks:
  1. 1. Assign the cluster role to the service principal.
  2. 2. If you created a VNet role, assign the VNet role to the service principal.
  3. 3. Generate a new secret to store the authentication key for the service principal.
  4. 4. Add an access policy to the key vault. In the access policy, allow the managed identity that is assigned to the Secure Agent machine to have permissions to the secret.