From 445e1e23c60ed85ae395d37ce61cb65b345cac5c Mon Sep 17 00:00:00 2001 From: Shubha Narayanan Date: Thu, 25 Jul 2024 16:30:13 +0530 Subject: [PATCH] Confiring Azure account improvements --- .../installing-azure-account.adoc | 18 +++++----- .../upi/installing-azure-user-infra.adoc | 2 -- ...icted-networks-azure-user-provisioned.adoc | 2 -- modules/installation-azure-identities.adoc | 6 ++-- .../installation-azure-increasing-limits.adoc | 35 ------------------- modules/installation-azure-limits.adoc | 2 ++ modules/installation-azure-marketplace.adoc | 8 ++--- .../installation-azure-network-config.adoc | 28 ++++++--------- modules/installation-azure-permissions.adoc | 10 ++++-- ...on-azure-preparing-diskencryptionsets.adoc | 34 +++++++++--------- modules/installation-azure-regions.adoc | 8 ++--- ...allation-azure-subscription-tenant-id.adoc | 6 ++-- ...tion-creating-azure-service-principal.adoc | 12 +++---- ...lation-using-azure-managed-identities.adoc | 6 ++-- ...inimum-required-permissions-ipi-azure.adoc | 17 ++++----- 15 files changed, 78 insertions(+), 116 deletions(-) delete mode 100644 modules/installation-azure-increasing-limits.adoc diff --git a/installing/installing_azure/installing-azure-account.adoc b/installing/installing_azure/installing-azure-account.adoc index e437bc3aab..147187d81c 100644 --- a/installing/installing_azure/installing-azure-account.adoc +++ b/installing/installing_azure/installing-azure-account.adoc @@ -1,20 +1,19 @@ :_mod-docs-content-type: ASSEMBLY [id="installing-azure-account"] -= Configuring an Azure account += Configuring an {azure-short} account include::_attributes/common-attributes.adoc[] :context: installing-azure-account toc::[] -Before you can install {product-title}, you must configure a Microsoft Azure account to meet installation requirements. +Before you can install {product-title}, you must configure a {azure-first} account to meet installation requirements. [IMPORTANT] ==== -All Azure resources that are available through public endpoints are subject to -resource name restrictions, and you cannot create resources that use certain -terms. For a list of terms that Azure restricts, see +All {azure-short} resources that are available through public endpoints are subject to +resource name restrictions. For a list of terms that {azure-short} restricts for resource names, see link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-reserved-resource-name[Resolve reserved resource name errors] -in the Azure documentation. +in the {azure-short} documentation. ==== include::modules/installation-azure-limits.adoc[leveloffset=+1] @@ -26,15 +25,16 @@ include::modules/installation-azure-limits.adoc[leveloffset=+1] include::modules/installation-azure-network-config.adoc[leveloffset=+1] -include::modules/installation-azure-increasing-limits.adoc[leveloffset=+1] - include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+1] include::modules/installation-azure-identities.adoc[leveloffset=+1] include::modules/installation-azure-permissions.adoc[leveloffset=+2] -include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+2] + +include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+3] + include::modules/installation-using-azure-managed-identities.adoc[leveloffset=+2] + include::modules/installation-creating-azure-service-principal.adoc[leveloffset=+2] [role="_additional-resources"] diff --git a/installing/installing_azure/upi/installing-azure-user-infra.adoc b/installing/installing_azure/upi/installing-azure-user-infra.adoc index e3a0469c2e..f7ec42b5bb 100644 --- a/installing/installing_azure/upi/installing-azure-user-infra.adoc +++ b/installing/installing_azure/upi/installing-azure-user-infra.adoc @@ -53,8 +53,6 @@ include::modules/installation-azure-network-config.adoc[leveloffset=+2] You can view Azure's DNS solution by visiting this xref:installation-azure-create-dns-zones_{context}[example for creating DNS zones]. -include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2] - include::modules/csr-management.adoc[leveloffset=+2] include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+2] diff --git a/installing/installing_azure/upi/installing-restricted-networks-azure-user-provisioned.adoc b/installing/installing_azure/upi/installing-restricted-networks-azure-user-provisioned.adoc index a28324bafd..b66124b73d 100644 --- a/installing/installing_azure/upi/installing-restricted-networks-azure-user-provisioned.adoc +++ b/installing/installing_azure/upi/installing-restricted-networks-azure-user-provisioned.adoc @@ -55,8 +55,6 @@ include::modules/installation-azure-network-config.adoc[leveloffset=+2] You can view Azure's DNS solution by visiting this xref:installation-azure-create-dns-zones_{context}[example for creating DNS zones]. -include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2] - include::modules/csr-management.adoc[leveloffset=+2] include::modules/installation-azure-permissions.adoc[leveloffset=+2] diff --git a/modules/installation-azure-identities.adoc b/modules/installation-azure-identities.adoc index 288eaeadf4..abc093e89b 100644 --- a/modules/installation-azure-identities.adoc +++ b/modules/installation-azure-identities.adoc @@ -4,10 +4,12 @@ :_mod-docs-content-type: CONCEPT [id="installation-azure-identities_{context}"] -= Supported identities to access Azure resources += Supported identities to access {azure-short} resources -An {product-title} cluster requires an Azure identity to create and manage Azure resources. As such, you need one of the following types of identities to complete the installation: +An {product-title} cluster requires an {azure-short} identity to create and manage {azure-short} resources. You need one of the following types of identities to complete the installation: * A service principal * A system-assigned managed identity * A user-assigned managed identity + +For more information on Azure identities, see link:https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#managed-identity-types[Managed identity types]. diff --git a/modules/installation-azure-increasing-limits.adoc b/modules/installation-azure-increasing-limits.adoc deleted file mode 100644 index 89e645e2a8..0000000000 --- a/modules/installation-azure-increasing-limits.adoc +++ /dev/null @@ -1,35 +0,0 @@ -// Module included in the following assemblies: -// -// * installing/installing_azure/installing-azure-account.adoc -// * installing/installing_azure/installing-azure-user-infra.adoc -// * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc - -:_mod-docs-content-type: PROCEDURE -[id="installation-azure-increasing-limits_{context}"] -= Increasing Azure account limits - -To increase an account limit, file a support request on the Azure portal. -[NOTE] -==== -You can increase only one type of quota per support request. -==== - -.Procedure - -. From the Azure portal, click *Help + support* in the lower left corner. - -. Click *New support request* and then select the required values: -.. From the *Issue type* list, select *Service and subscription limits (quotas)*. -.. From the *Subscription* list, select the subscription to modify. -.. From the *Quota type* list, select the quota to increase. For example, select -*Compute-VM (cores-vCPUs) subscription limit increases* to increase the number -of vCPUs, which is required to install a cluster. -.. Click *Next: Solutions*. - -. On the *Problem Details* page, provide the required information for your quota -increase: -.. Click *Provide details* and provide the required details in the *Quota details* window. -.. In the SUPPORT METHOD and CONTACT INFO sections, provide the issue severity -and your contact details. - -. Click *Next: Review + create* and then click *Create*. diff --git a/modules/installation-azure-limits.adoc b/modules/installation-azure-limits.adoc index 81ed60ddad..e199537ec9 100644 --- a/modules/installation-azure-limits.adoc +++ b/modules/installation-azure-limits.adoc @@ -206,6 +206,8 @@ Using spot VMs for control plane nodes is not recommended. endif::ash[] |=== +To increase an account limit, file a support request on the Azure portal. For more information, see link:https://learn.microsoft.com/en-us/azure/deployment-environments/how-to-request-quota-increase[Request a quota limit increase for Azure Deployment Environments resources]. + ifeval::["{context}" == "installing-azure-stack-hub-user-infra"] :!ash: :!cp: Azure Stack Hub diff --git a/modules/installation-azure-marketplace.adoc b/modules/installation-azure-marketplace.adoc index 8fa3c95f60..60f7be6cb8 100644 --- a/modules/installation-azure-marketplace.adoc +++ b/modules/installation-azure-marketplace.adoc @@ -4,13 +4,13 @@ :_mod-docs-content-type: CONCEPT [id="installation-azure-marketplace_{context}"] -= Supported Azure Marketplace regions += Supported {azure-short} Marketplace regions -Installing a cluster using the Azure Marketplace image is available to customers who purchase the offer in North America and EMEA. +Installing a cluster using the {azure-short} Marketplace image is available to customers who purchase the offer in North America and EMEA. -While the offer must be purchased in North America or EMEA, you can deploy the cluster to any of the Azure public partitions that {product-title} supports. +While the offer must be purchased in North America or EMEA, you can deploy the cluster to any of the {azure-short} public partitions that {product-title} supports. [NOTE] ==== -Deploying a cluster using the Azure Marketplace image is not supported for the Azure Government regions. +Deploying a cluster using the {azure-short} Marketplace image is not supported for the {azure-short} Government regions. ==== diff --git a/modules/installation-azure-network-config.adoc b/modules/installation-azure-network-config.adoc index a62a2f462c..8807c04501 100644 --- a/modules/installation-azure-network-config.adoc +++ b/modules/installation-azure-network-config.adoc @@ -6,9 +6,9 @@ :_mod-docs-content-type: PROCEDURE [id="installation-azure-network-config_{context}"] -= Configuring a public DNS zone in Azure += Configuring a public DNS zone in {azure-short} -To install {product-title}, the Microsoft Azure account you use must +To install {product-title}, the {azure-first} account you use must have a dedicated public hosted DNS zone in your account. This zone must be authoritative for the domain. This service provides cluster DNS resolution and name lookup for external connections to the cluster. @@ -16,27 +16,19 @@ cluster DNS resolution and name lookup for external connections to the cluster. .Procedure . Identify your domain, or subdomain, and registrar. You can transfer an -existing domain and registrar or obtain a new one through Azure or another source. -+ -[NOTE] -==== -For more information about purchasing domains through Azure, see -link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain[Buy a custom domain name for Azure App Service] -in the Azure documentation. -==== +existing domain and registrar or obtain a new one through {azure-short} or another source. -. If you are using an existing domain and registrar, migrate its DNS to Azure. See +** To purchase a new domain through {azure-short}, see link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain[Buy a custom domain name for Azure App Service]. + +** If you are using an existing domain and registrar, migrate its DNS to {azure-short}. For more information, see link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-migrate-domain[Migrate an active DNS name to Azure App Service] -in the Azure documentation. +in the {azure-short} documentation. -. Configure DNS for your domain. Follow the steps in the -link:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns[Tutorial: Host your domain in Azure DNS] -in the Azure documentation to create a public hosted zone for your domain or -subdomain, extract the new authoritative name servers, and update the registrar -records for the name servers that your domain uses. +. Configure DNS for your domain, which includes creating a public hosted zone for your domain or subdomain, extracting the new authoritative name servers, and updating the registrar records for the name servers that your domain uses. For more information, see +link:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns[Tutorial: Host your domain in Azure DNS]. + Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain, such as `clusters.openshiftcorp.com`. -. If you use a subdomain, follow your company's procedures to add its delegation +. If you use a subdomain, follow your organization's procedures to add its delegation records to the parent domain. diff --git a/modules/installation-azure-permissions.adoc b/modules/installation-azure-permissions.adoc index bcb194d65e..15bd52a8f3 100644 --- a/modules/installation-azure-permissions.adoc +++ b/modules/installation-azure-permissions.adoc @@ -4,14 +4,18 @@ // * installing/installing_azure/installing-azure-user-infra.adoc // * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc +:_mod-docs-content-type: CONCEPT [id="installation-azure-permissions_{context}"] -= Required Azure roles += Required {azure-short} roles -An {product-title} cluster requires an Azure identity to create and manage Azure resources. Before you create the identity, verify that your environment meets the following requirements: +Before you create the identity, verify that your environment meets the following requirements based on the identity: * The Azure account that you use to create the identity is assigned the `User Access Administrator` and `Contributor` roles. These roles are required when: + ** Creating a service principal or user-assigned managed identity. + ** Enabling a system-assigned managed identity on a virtual machine. + * If you are going to use a service principal to complete the installation, verify that the Azure account that you use to create the identity is assigned the `microsoft.directory/servicePrincipals/createAsOwner` permission in Microsoft Entra ID. -To set roles on the Azure portal, see the link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Manage access to Azure resources using RBAC and the Azure portal] in the Azure documentation. +To set roles on the {azure-short} portal, see link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Assign {azure-short} roles using the {azure-short} portal] in the {azure-short} documentation. \ No newline at end of file diff --git a/modules/installation-azure-preparing-diskencryptionsets.adoc b/modules/installation-azure-preparing-diskencryptionsets.adoc index de46325455..95ebd9d93e 100644 --- a/modules/installation-azure-preparing-diskencryptionsets.adoc +++ b/modules/installation-azure-preparing-diskencryptionsets.adoc @@ -4,22 +4,22 @@ :_mod-docs-content-type: PROCEDURE [id="preparing-disk-encryption-sets_{context}"] -= Preparing an Azure Disk Encryption Set -The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer. += Preparing an {azure-short} Disk Encryption Set +The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in {azure-short} and provide the key to the installer. .Procedure -. Set the following environment variables for the Azure resource group by running the following command: +. Set the environment variables for the {azure-short} resource group by running the following command: + [source,terminal] ---- $ export RESOURCEGROUP="" \// <1> LOCATION="" <2> ---- -<1> Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster. -<2> Specifies the Azure location where you will create the resource group. +<1> Specifies the name of the {azure-short} resource group where the Disk Encryption Set and encryption key are to be created. To prevent losing access to your keys when you destroy the cluster, create the Disk Encryption Set in a separate resource group from the one where you install the cluster. +<2> Specifies the {azure-short} location where the resource group is to be created. + -. Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command: +. Set the environment variables for the {azure-short} Key Vault and Disk Encryption Set by running the following command: + [source,terminal] ---- @@ -27,19 +27,19 @@ $ export KEYVAULT_NAME="" \// <1> KEYVAULT_KEY_NAME="" \// <2> DISK_ENCRYPTION_SET_NAME="" <3> ---- -<1> Specifies the name of the Azure Key Vault you will create. -<2> Specifies the name of the encryption key you will create. -<3> Specifies the name of the disk encryption set you will create. +<1> Specifies the name of the {azure-short} Key Vault to be created. +<2> Specifies the name of the encryption key to be created. +<3> Specifies the name of the disk encryption set to be created. + -. Set the environment variable for the ID of your Azure Service Principal by running the following command: +. Set the environment variable for the ID of your {azure-short} service principal by running the following command: + [source,terminal] ---- $ export CLUSTER_SP_ID="" <1> ---- -<1> Specifies the ID of the service principal you will use for this installation. +<1> Specifies the ID of the service principal to be used for installation. + -. Enable host-level encryption in Azure by running the following commands: +. Enable host-level encryption in {azure-short} by running the following command: + [source,terminal] ---- @@ -56,14 +56,14 @@ $ az feature show --namespace Microsoft.Compute --name EncryptionAtHost $ az provider register -n Microsoft.Compute ---- + -. Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command: +. Create an {azure-short} resource group to hold the disk encryption set and associated resources by running the following command: + [source,terminal] ---- $ az group create --name $RESOURCEGROUP --location $LOCATION ---- + -. Create an Azure key vault by running the following command: +. Create an {azure-short} Key Vault by running the following command: + [source,terminal] ---- @@ -102,7 +102,7 @@ $ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \ $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL ---- + -. Grant the DiskEncryptionSet resource access to the key vault by running the following commands: +. Grant the `DiskEncryptionSet` resource access to the key vault by running the following commands: + [source,terminal] ---- @@ -116,7 +116,7 @@ $ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \ $DES_IDENTITY --key-permissions wrapkey unwrapkey get ---- + -. Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands: +. Grant the {azure-short} service principal permission to read the Disk Encryption Set by running the following commands: + [source,terminal] ---- @@ -129,4 +129,4 @@ $ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g $ az role assignment create --assignee $CLUSTER_SP_ID --role "" \// <1> --scope $DES_RESOURCE_ID -o jsonc ---- -<1> Specifies an Azure role with read permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions. +<1> Specifies an {azure-short} role with read permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions. diff --git a/modules/installation-azure-regions.adoc b/modules/installation-azure-regions.adoc index b44b5079ca..48174cbc01 100644 --- a/modules/installation-azure-regions.adoc +++ b/modules/installation-azure-regions.adoc @@ -7,12 +7,12 @@ // * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc [id="installation-azure-regions_{context}"] -= Supported Azure regions += Supported {azure-short} regions -The installation program dynamically generates the list of available Microsoft Azure regions based on your subscription. +The installation program dynamically generates the list of available {azure-full} regions based on your subscription. [discrete] -== Supported Azure public regions +== Supported {azure-short} public regions * `australiacentral` (Australia Central) * `australiaeast` (Australia East) @@ -60,7 +60,7 @@ The installation program dynamically generates the list of available Microsoft A * `westus3` (West US 3) [discrete] -== Supported Azure Government regions +== Supported {azure-short} Government regions Support for the following Microsoft Azure Government (MAG) regions was added in {product-title} version 4.6: diff --git a/modules/installation-azure-subscription-tenant-id.adoc b/modules/installation-azure-subscription-tenant-id.adoc index 7c29f1bae5..caac53a19f 100644 --- a/modules/installation-azure-subscription-tenant-id.adoc +++ b/modules/installation-azure-subscription-tenant-id.adoc @@ -6,15 +6,15 @@ [id="installation-azure-subscription-tenant-id_{context}"] = Recording the subscription and tenant IDs -The installation program requires the subscription and tenant IDs that are associated with your Azure account. You can use the Azure CLI to gather this information. +The installation program requires the subscription and tenant IDs that are associated with your {azure-short} account. You can use the {azure-short} CLI to gather this information. .Prerequisites -* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[Azure CLI]. +* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[{azure-short} CLI]. .Procedure -. Log in to the Azure CLI by running the following command: +. Log in to the {azure-short} CLI by running the following command: + [source,terminal] ---- diff --git a/modules/installation-creating-azure-service-principal.adoc b/modules/installation-creating-azure-service-principal.adoc index a244dab740..726bb7ff72 100644 --- a/modules/installation-creating-azure-service-principal.adoc +++ b/modules/installation-creating-azure-service-principal.adoc @@ -12,9 +12,9 @@ If you are unable to use a service principal, you can use a managed identity. .Prerequisites -* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[Azure CLI]. -* You have an Azure subscription ID. -* If you are not going to assign the `Contributor` and `User Administrator Access` roles to the service principal, you have created a custom role with the required Azure permissions. +* You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[{azure-short} CLI]. +* You have an {azure-short} subscription ID. +* If you are not assigning the `Contributor` and `User Administrator Access` roles to the service principal, you have created a custom role with the required {azure-short} permissions. .Procedure @@ -44,10 +44,10 @@ control. For more information, see https://aka.ms/azadsp-cli "tenantId": "8xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } ---- ++ +Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster. -. Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster. - -. If you applied the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command: +. If you assigned the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command: + [source,terminal] ---- diff --git a/modules/installation-using-azure-managed-identities.adoc b/modules/installation-using-azure-managed-identities.adoc index b50089dfff..e7be55ce02 100644 --- a/modules/installation-using-azure-managed-identities.adoc +++ b/modules/installation-using-azure-managed-identities.adoc @@ -4,9 +4,9 @@ :_mod-docs-content-type: PROCEDURE [id="installation-using-azure-managed-identities_{context}"] -= Using Azure managed identities += Using {azure-short} managed identities -The installation program requires an Azure identity to complete the installation. You can use either a system-assigned or user-assigned managed identity. +The installation program requires an {azure-short} identity to complete the installation. You can use either a system-assigned or user-assigned managed identity. If you are unable to use a managed identity, you can use a service principal. @@ -17,5 +17,5 @@ If you are unable to use a managed identity, you can use a service principal. .. Assign it to the virtual machine that you will run the installation program from. .. Record its client ID. You require this value when installing the cluster. + -For more information about viewing the details of a user-assigned managed identity, see the Microsoft Azure documentation for link:https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#list-user-assigned-managed-identities[listing user-assigned managed identities]. +For more information about viewing the details of a user-assigned managed identity, see link:https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#list-user-assigned-managed-identities[List user-assigned managed identities] in the {azure-short} documentation. . Verify that the required permissions are assigned to the managed identity. diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc index e09e4ae084..65c7dc266a 100644 --- a/modules/minimum-required-permissions-ipi-azure.adoc +++ b/modules/minimum-required-permissions-ipi-azure.adoc @@ -4,18 +4,19 @@ :_mod-docs-content-type: CONCEPT [id="minimum-required-permissions-ipi-azure_{context}"] -= Required Azure permissions for installer-provisioned infrastructure += Required {azure-short} permissions for installer-provisioned infrastructure The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the cluster and to maintain its daily operation. These permissions must be granted to the Azure subscription that is associated with the identity. The following options are available to you: -* You can assign the identity the `Contributor` and `User Access Administrator` roles. Assigning these roles is the quickest way to grant all of the required permissions. +* You can assign the identity the `Contributor` and `User Access Administrator` roles, which grant all of the required permissions. + For more information about assigning roles, see the Azure documentation for link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[managing access to Azure resources using the Azure portal]. -* If your organization's security policies require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions. -The following permissions are required for creating an {product-title} cluster on Microsoft Azure. +* If the security policies of your organization require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions. + +The following permissions are required for creating an {product-title} cluster on {azure-first}. .Required permissions for creating authorization resources [%collapsible] @@ -108,7 +109,7 @@ The following permissions are required for creating an {product-title} cluster o ==== [NOTE] ==== -The following permissions are not required to create the private {product-title} cluster on Azure. +The following permissions are not required to create the private {product-title} cluster on {azure-short}. * `Microsoft.Network/dnsZones/A/write` * `Microsoft.Network/dnsZones/CNAME/write` @@ -232,7 +233,7 @@ The following permissions are not required to create the private {product-title} * `Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action` ==== -The following permissions are required for deleting an {product-title} cluster on Microsoft Azure. You can use the same permissions to delete a private {product-title} cluster on Azure. +The following permissions are required for deleting an {product-title} cluster on {azure-full}. You can use the same permissions to delete a private {product-title} cluster on {azure-short}. .Required permissions for deleting authorization resources [%collapsible] @@ -276,7 +277,7 @@ The following permissions are required for deleting an {product-title} cluster o ==== [NOTE] ==== -The following permissions are not required to delete a private {product-title} cluster on Azure. +The following permissions are not required to delete a private {product-title} cluster on {azure-short}. * `Microsoft.Network/dnszones/read` * `Microsoft.Network/dnsZones/A/read` @@ -308,7 +309,7 @@ The following permissions are not required to delete a private {product-title} c [NOTE] ==== -To install {product-title} on Azure, you must scope the permissions to your subscription. Later, you can re-scope these permissions to the installer created resource group. If the public DNS zone is present in a different resource group, then the network DNS zone related permissions must always be applied to your subscription. By default, the {product-title} installation program assigns the Azure identity the `Contributor` role. +To install {product-title} on {azure-short}, you must scope the permissions to your subscription. You can re-scope these permissions to the resource group created by installation program. If the public DNS zone is present in a different resource group, then the network DNS zone related permissions must always be applied to your subscription. By default, the {product-title} installation program assigns the {azure-short} identity the `Contributor` role. You can scope all the permissions to your subscription when deleting an {product-title} cluster. ====