Cloudera Docs

Creating user-assigned Managed Identities

Learn about creating user-assigned Managed Identities.

When creating a new Cloudera Data Engineering service, you need to supply two user-assigned managed identities, one of them is used for common cluster components and the other one is shared across all Cloudera Data Engineering virtual cluster components. These identities are associated with only one Cloudera Data Engineering service, and cannot be used in another Cloudera Data Engineering service.

For more information on creating managed identities on the Azure portal, see Creating Managed Identity.

The following procedure lists the Azure CLI commands to create user-assigned managed identities and role assignments.

For the commands included in the procedure, you need the values for the following variables, based on your Azure environment:

[***RESOURCE-GROUP***]: Your resource group name.

[***LOCATION***]: The location, for example eastus.

[***MANAGED-IDENTITY-NAME***]: The Managed Identity name to be created.

[***STORAGE-ACCOUNT***]: Your storage account name.

[***LOGS-CONTAINER-NAME***]: The name of the logs container.

[***SUBSCRIPTION-ID***]: The subscription ID.

Example: If abfs://logs@mystorage.dfs.core.windows.net is your log storage location, then [***STORAGE-ACCOUNT***] is mystorage, [***LOGS-CONTAINER-NAME***] is logs.

Run the following command to set the variables:

RESOURCE_GROUP="[***RESOURCE-GROUP***]"
LOCATION="[***LOCATION***]"
IDENTITY_NAME="[***MANAGED-IDENTITY-NAME***]"
STORAGE_ACCOUNT="[***STORAGE-ACCOUNT***]"
CONTAINER_NAME="[***LOGS-CONTAINER-NAME***]"
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
  1. Create the Managed Identity in the resource group that belongs to the environment. 
    az identity create \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --location $LOCATION
  2. Get the principal ID (object ID) of the Managed Identity. 
    PRINCIPAL_ID=$(az identity show \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --query principalId -o tsv)
  3. Get the client ID of the Managed Identity. 
    CLIENT_ID=$(az identity show \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --query clientId -o tsv)
  4. Build the container scope and the resource ID. 
    CONTAINER_SCOPE="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT/blobServices/default/containers/$CONTAINER_NAME"
    RESOURCE_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$IDENTITY_NAME"
  5. Assign the Storage Blob Data Contributor role at container level. 
    az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Storage Blob Data Contributor" \
  --scope $CONTAINER_SCOPE
  6. Display the results. 
    echo "Managed Identity Created:"
echo "  Client ID: $CLIENT_ID"
echo "  Resource ID: $RESOURCE_ID"
  7. List all role assignments in a specific container. Verify if the Managed Identity has contributor access to the logs container. 
    CONTAINER_SCOPE="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT/blobServices/default/containers/$CONTAINER_NAME"

az role assignment list \
  --scope $CONTAINER_SCOPE \
  --query "[].{Principal:principalName, Role:roleDefinitionName, Scope:scope}" \
  --output table