Azure Service Principal Setup

This guide explains how to create and configure an Azure Service Principal with the required permissions for the Azure agent.

Prerequisites

• Azure CLI installed and authenticated
• Permissions to create custom roles, such as User Access Administrator
• Access to the target Azure subscription and resource groups

Steps

1. Create the Service Principal

az ad sp create-for-rbac --name "astronetes-agent" --skip-assignment

You'll receive output similar to this:

{
  "appId": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
  "displayName": "astronetes-agent",
  "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "tenant": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
}

Important: Save these values securely - you'll need them to configure the agent.

2. Assign required permissions

Assign the Reader role to allow the agent to collect metadata from Azure resources:

az role assignment create \
  --assignee "<appId-from-step-1>" \
  --role "Reader" \
  --scope "/subscriptions/<your-subscription-id>"

3. Get your subscription details

If you need to find your subscription ID and resource groups:

# Get subscription ID
az account show --query id -o tsv

# List storage accounts and their resource groups
az storage account list --query "[].{Name:name, ResourceGroup:resourceGroup}" -o table

Required information for agent configuration

After completing these steps, you'll have:

• Client ID (appId from step 1)
• Client Secret (password from step 1)
• Tenant ID (tenant from step 1)
• Subscription ID (from step 3)

Keep these values ready - you'll need them when configuring your Azure agent.

Related Azure documentation

• Create an Azure service principal in Azure portal
• Azure built-in roles