Deploy ARO with Managed Identities and Workload Identity
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration. This guide has been validated on OpenShift 4.20. Operator CRD names, API versions, and console paths may differ on other versions.
A guide to deploying Azure Red Hat OpenShift with Managed Identities and Workload Identity (MIWI) for enhanced security and streamlined Azure resource access.
This guide is adapted from Ken Moini’s HackMD deployment guide .
Overview
This guide walks through deploying an ARO cluster using Azure Managed Identities instead of service principals, enabling Workload Identity for platform operators. This provides:
- Enhanced Security: No service principal secrets to manage
- Streamlined Operations: Automatic credential rotation via Azure Managed Identity
- Workload Identity: Platform operators use federated credentials with Azure
Prerequisites
Azure CLI
Ensure you have Azure CLI version 2.84 or later (version 2.70+ recommended for latest managed identity features):
For the latest syntax with --assign-identity and --assign-kubelet-identity, upgrade to Azure CLI 2.70.0 or later:
Red Hat Pull Secret
-
Log into https://console.redhat.com
-
Browse to https://console.redhat.com/openshift/install/azure/aro-provisioned
-
Click the Download pull secret button and save it as
rh-pull-secret.json
Azure Account Preparation
-
Log into Azure CLI
-
Set your subscription ID
-
Register required resource providers
Configuration
Set Environment Variables
Configure the deployment parameters:
Avoid using the following CIDR ranges for pod and service networks as they conflict with OVN-K:
100.64.0.0/16100.88.0.0/16
Deployment Options
You can deploy ARO with managed identities using either approach:
- Option 1: One-Shot Deployment - Single script that creates everything
- Option 2: Step-by-Step Deployment - Individual commands for each component
One-Shot Deployment
Download and execute the automated deployment script:
After the one-shot deployment completes, proceed to Access the Cluster to start using your cluster.
Step-by-Step Deployment
Alternatively, deploy each component individually for better control and understanding.
1. Create Resource Groups
2. Create Virtual Network
3. Create Managed Identities
Create managed identities for ARO platform operators:
4. Assign Role Permissions
Grant necessary permissions to managed identities:
5. Deploy ARO Cluster
Create the ARO cluster with managed identity configuration:
Cluster creation takes approximately 30-45 minutes. The script automatically includes the pull secret if the file exists.
Access the Cluster
Get Cluster Console URL
Get Admin Credentials
Cleanup
To delete the cluster and all resources:
Ensure you want to delete all resources before running cleanup commands. This action cannot be undone.
Benefits of Managed Identity with Workload Identity
Security:
- No service principal secrets stored in the cluster
- Automatic credential rotation via Azure
- Reduced attack surface for credential theft
Operational:
- Simplified secret management
- No manual secret rotation required
- Better audit trails via Azure Activity Log
Compliance:
- Meets security requirements for secret-free authentication
- Aligns with Azure security best practices
- Easier to demonstrate compliance posture
Troubleshooting
Managed Identity Not Working
Check role assignments:
Permission Errors
Review Azure Activity Log for detailed error messages:
