openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

CO-924: Azure: Support passthrough of SP's without the Application.ReadWrite.OwnedBy permission

Browse Source
This commit is contained in:
Jeana Routh
2020-10-09 14:14:44 -04:00
committed by openshift-cherrypick-robot
parent 34188663b2
commit cab590fdcd
1 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
modules/installation-azure-service-principal.adoc
View File

@@ -147,10 +147,16 @@ Retrying role assignment creation: 4/36
. Record the values of the `appId` and `password` parameters from the previous
output. You need these values during {product-title} installation.
. Grant additional permissions to the service principal. The service principal
requires the legacy `Azure Active Directory Graph -> Application.ReadWrite.OwnedBy`
permission and the `User Access Administrator` role for the cluster to assign
credentials for its components.
. Grant additional permissions to the service principal.
+
--
** You must always add the `Contributor` and `User Access Administrator` roles to the app registration service principal so the cluster can assign credentials for its components.
** To operate the Cloud Credential Operator (CCO) in _mint mode_, the app registration service principal also requires the `Azure Active Directory Graph/Application.ReadWrite.OwnedBy` API permission.
** To operate the CCO in _passthrough mode_, the app registration service principal does not require additional API permissions.
--
+
For more information about CCO modes, see the *Cloud Credential Operator* entry in the *Red Hat Operators reference* content.
.. To assign the `User Access Administrator` role, run the following command:
+
[source,terminal]