Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Membuat penetapan peran Azure
Halaman ini menunjukkan cara memberikan izin ke GKE di Azure agar dapat mengakses Azure API. Anda harus melakukan langkah-langkah ini saat menyiapkan cluster GKE di Azure yang baru atau saat memperbarui izin untuk cluster yang ada.
Izin ini diperlukan agar GKE di Azure dapat mengelola resource Azure atas nama Anda, seperti mesin virtual, komponen jaringan, dan penyimpanan.
Mendapatkan ID langganan dan principal layanan
Untuk memberikan izin ke GKE di Azure, Anda harus mendapatkan ID langganan dan principal layanan Azure. ID langganan dan akun utama layanan Azure
dikaitkan dengan aplikasi Azure AD yang Anda buat untuk GKE di Azure.
Untuk mengetahui detailnya, lihat
Membuat aplikasi Azure Active Directory.
Akun utama layanan adalah identitas di Azure Active Directory (AD) yang digunakan
untuk mengautentikasi ke Azure dan mengakses sumber dayanya. Langganan Azure adalah
penampung logis yang memberi Anda akses resmi ke produk
dan layanan Azure. ID langganan adalah ID unik yang terkait dengan langganan Azure Anda.
Untuk menyimpan ID langganan dan principal layanan Anda sebagai referensi cepat, Anda dapat menyimpannya dalam variabel shell. Untuk membuat variabel shell ini, jalankan perintah berikut:
Ganti APPLICATION_NAME dengan nama
aplikasi Azure AD Anda.
Buat tiga peran khusus
Untuk memberikan izin kepada GKE di Azure untuk mengelola resource Azure Anda, Anda
perlu membuat tiga peran kustom dan menetapkannya ke akun utama layanan. Hanya
izin minimum yang ditambahkan dalam petunjuk berikut. Anda dapat menambahkan izin lainnya jika perlu.
Anda perlu membuat peran khusus untuk jenis akses berikut:
Akses tingkat langganan: Izin yang berlaku untuk seluruh langganan Azure, sehingga memungkinkan pengelolaan semua resource Azure dalam langganan tersebut.
Akses tingkat grup resource cluster: Izin khusus untuk mengelola resource Azure dalam grup resource tertentu yang berisi cluster GKE di Azure Anda.
Akses tingkat grup resource jaringan virtual: Izin khusus untuk mengelola
resource Azure dalam grup resource yang berisi resource jaringan virtual Azure Anda.
Membuat peran untuk akses tingkat langganan
Buat file bernama GKEOnAzureAPISubscriptionScopedRole.json.
Buka GKEOnAzureAPISubscriptionScopedRole.json di editor dan tambahkan izin berikut:
{"Name":"GKE on-Azure API Subscription Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in subscription scope.","Actions":["Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/delete","Microsoft.Authorization/roleDefinitions/read"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
Tetapkan peran ke akun utama layanan menggunakan perintah berikut:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Subscription Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}
Membuat peran untuk akses tingkat grup resource cluster
Buat file bernama GKEOnAzureClusterResourceGroupScopedRole.json.
Buka GKEOnAzureClusterResourceGroupScopedRole.json di editor dan tambahkan
izin berikut:
{"Name":"GKE on-Azure API Cluster Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in cluster resource group scope.","Actions":["Microsoft.Resources/subscriptions/resourcegroups/read","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete","Microsoft.ManagedIdentity/userAssignedIdentities/write","Microsoft.ManagedIdentity/userAssignedIdentities/read","Microsoft.ManagedIdentity/userAssignedIdentities/delete","Microsoft.Network/applicationSecurityGroups/write","Microsoft.Network/applicationSecurityGroups/read","Microsoft.Network/applicationSecurityGroups/delete","Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action","Microsoft.Authorization/roleAssignments/write","Microsoft.Authorization/roleAssignments/read","Microsoft.Authorization/roleAssignments/delete","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/delete","Microsoft.Network/loadBalancers/backendAddressPools/join/action","Microsoft.Network/networkSecurityGroups/write","Microsoft.Network/networkSecurityGroups/read","Microsoft.Network/networkSecurityGroups/delete","Microsoft.Network/networkSecurityGroups/join/action","Microsoft.KeyVault/vaults/write","Microsoft.KeyVault/vaults/read","Microsoft.KeyVault/vaults/delete","Microsoft.Compute/disks/read","Microsoft.Compute/disks/write","Microsoft.Compute/disks/delete","Microsoft.Network/networkInterfaces/read","Microsoft.Network/networkInterfaces/write","Microsoft.Network/networkInterfaces/delete","Microsoft.Network/networkInterfaces/join/action","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/delete","Microsoft.Compute/virtualMachineScaleSets/write","Microsoft.Compute/virtualMachineScaleSets/read","Microsoft.Compute/virtualMachineScaleSets/delete","Microsoft.ManagedIdentity/userAssignedIdentities/assign/action","Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action","Microsoft.Insights/Metrics/Read"],"NotActions":[],"DataActions":["Microsoft.KeyVault/vaults/keys/create/action","Microsoft.KeyVault/vaults/keys/delete","Microsoft.KeyVault/vaults/keys/read","Microsoft.KeyVault/vaults/keys/encrypt/action"],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}```
Tetapkan peran ke akun utama layanan menggunakan perintah berikut:
azroleassignmentcreate--assignee${SERVICE_PRINCIPAL_ID}--role"GKE on-Azure API Cluster Resource Group Scoped Role"--scope/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
Membuat peran untuk akses tingkat grup resource jaringan virtual
Buat file bernama GKEOnAzureAPIVNetResourceGroupScopedRole.json.
Buka GKEOnAzureAPIVNetResourceGroupScopedRole.json di editor dan tambahkan
izin berikut:
{"Name":"GKE on-Azure API VNet Resource Group Scoped Role","IsCustom":true,"Description":"Allow GKE on-Azure service manage resources in virtual network resource group scope.","Actions":["Microsoft.Network/virtualNetworks/read","Microsoft.Network/virtualNetworks/subnets/read","Microsoft.Network/virtualNetworks/subnets/join/action","Microsoft.Authorization/roleDefinitions/write","Microsoft.Authorization/roleDefinitions/delete"],"NotActions":[],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/subscriptions/${SUBSCRIPTION_ID}"]}
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-07-31 UTC."],[],[],null,["# Create Azure role assignments\n=============================\n\nThis page shows how you grant permissions to GKE on Azure so that it can\naccess Azure APIs. You need to perform these steps when setting up a new\nGKE on Azure cluster or when updating permissions for an existing cluster.\nThese permissions are necessary for GKE on Azure to manage Azure resources\non your behalf, such as virtual machines, networking components, and storage.\n\nObtain service principal and subscription IDs\n---------------------------------------------\n\nTo grant permissions to GKE on Azure, you need to obtain your Azure service\nprincipal and subscription ID. The Azure service principal and subscription ID\nare associated with the Azure AD application you created for GKE on Azure.\nFor details, see\n[Create an Azure Active Directory application](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n\nA service principal is an identity in Azure Active Directory (AD) that is used\nto authenticate to Azure and access its resources. An Azure subscription is a\nlogical container that provides you with authorized access to Azure products\nand services. A subscription ID is a unique identifier associated with your\nAzure subscription.\n\nTo save your service principal and subscription IDs for quick reference, you can\nstore them in shell variables. To create these shell variables, run the\nfollowing command: \n\n APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" \\\n --output tsv)\n SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \\\n --query \"[?appId=='$APPLICATION_ID'].id\")\n SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n\nReplace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the name\nof your Azure AD application.\n\nCreate three custom roles\n-------------------------\n\nTo grant GKE on Azure the permissions to manage your Azure resources, you\nneed to create three custom roles and assign them to the service principal. Only\nthe minimum permissions are added in the following instructions. You can add\nmore permissions if you need to.\n\nYou need to create custom roles for the following types of access:\n\n- **Subscription-level access**: Permissions that apply to the entire Azure subscription, allowing management of all Azure resources within that subscription.\n- **Cluster resource group-level access**: Permissions specific to managing Azure resources within a particular resource group that contains your GKE on Azure clusters.\n- **Virtual network resource group-level access**: Permissions specific to managing Azure resources within a resource group that contains your Azure virtual network resources.\n\n### Create role for subscription-level access\n\n1. Create a file named `GKEOnAzureAPISubscriptionScopedRole.json`.\n\n2. Open `GKEOnAzureAPISubscriptionScopedRole.json` in an editor and add the\n following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Subscription Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in subscription scope.\",\n \"Actions\": [\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Authorization/roleDefinitions/read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPISubscriptionScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}\n\n### Create role for cluster resource group-level access\n\n1. Create a file named `GKEOnAzureClusterResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureClusterResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API Cluster Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in cluster resource group scope.\",\n \"Actions\": [\n \"Microsoft.Resources/subscriptions/resourcegroups/read\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/write\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/read\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/delete\",\n \"Microsoft.Network/applicationSecurityGroups/write\",\n \"Microsoft.Network/applicationSecurityGroups/read\",\n \"Microsoft.Network/applicationSecurityGroups/delete\",\n \"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action\",\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/read\",\n \"Microsoft.Authorization/roleAssignments/delete\",\n \"Microsoft.Network/loadBalancers/write\",\n \"Microsoft.Network/loadBalancers/read\",\n \"Microsoft.Network/loadBalancers/delete\",\n \"Microsoft.Network/loadBalancers/backendAddressPools/join/action\",\n \"Microsoft.Network/networkSecurityGroups/write\",\n \"Microsoft.Network/networkSecurityGroups/read\",\n \"Microsoft.Network/networkSecurityGroups/delete\",\n \"Microsoft.Network/networkSecurityGroups/join/action\",\n \"Microsoft.KeyVault/vaults/write\",\n \"Microsoft.KeyVault/vaults/read\",\n \"Microsoft.KeyVault/vaults/delete\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/disks/write\",\n \"Microsoft.Compute/disks/delete\",\n \"Microsoft.Network/networkInterfaces/read\",\n \"Microsoft.Network/networkInterfaces/write\",\n \"Microsoft.Network/networkInterfaces/delete\",\n \"Microsoft.Network/networkInterfaces/join/action\",\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/write\",\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachineScaleSets/write\",\n \"Microsoft.Compute/virtualMachineScaleSets/read\",\n \"Microsoft.Compute/virtualMachineScaleSets/delete\",\n \"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\",\n \"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\",\n \"Microsoft.Insights/Metrics/Read\"\n ],\n \"NotActions\": [],\n \"DataActions\": [\n \"Microsoft.KeyVault/vaults/keys/create/action\",\n \"Microsoft.KeyVault/vaults/keys/delete\",\n \"Microsoft.KeyVault/vaults/keys/read\",\n \"Microsoft.KeyVault/vaults/keys/encrypt/action\"\n ],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n ```\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureClusterResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Cluster Resource Group Scoped Role\" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}\n\n### Create role for virtual network resource group-level access\n\n1. Create a file named `GKEOnAzureAPIVNetResourceGroupScopedRole.json`.\n\n2. Open `GKEOnAzureAPIVNetResourceGroupScopedRole.json` in an editor and add\n the following permissions:\n\n {\n \"Name\": \"GKE on-Azure API VNet Resource Group Scoped Role\",\n \"IsCustom\": true,\n \"Description\": \"Allow GKE on-Azure service manage resources in virtual network resource group scope.\",\n \"Actions\": [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/virtualNetworks/subnets/read\",\n \"Microsoft.Network/virtualNetworks/subnets/join/action\",\n \"Microsoft.Authorization/roleDefinitions/write\",\n \"Microsoft.Authorization/roleDefinitions/delete\"\n ],\n \"NotActions\": [],\n \"DataActions\": [],\n \"NotDataActions\": [],\n \"AssignableScopes\": [\"/subscriptions/${SUBSCRIPTION_ID}\"]\n }\n\n3. Create the new custom role:\n\n az role definition create --role-definition \"GKEOnAzureAPIVNetResourceGroupScopedRole.json\"\n\n4. Assign the role to the service principal using the following command:\n\n az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role \"GKE on-Azure API Subscription Scoped Role\" --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID\"\n\nWhat's next\n-----------\n\n- [Create a client certificate](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-client)"]]
