TIBCO ModelOps Install on Azure with limited use of the Owner role
book
Article ID: KB0072232
calendar_today
Updated On:
Description
Installing ModelOps 1.1, the acrpush/acrpull permissions do not work, so the only alternative is to assign the ModelOps application the Owner role. This weakens security. Is there a way to install and run ModelOps without the Owner role for the application?
Environment
Microsoft Azure AKS
Resolution
The duration of the ModelOps application requiring the Owner role is limited to the installation period.
Without Owner role for the application, the following command fails with this error:
> az aks create --resource-group tibcomodelops --service-principal ****** --client-secret ****** --name tibcomodelops --max-pods 200 --node-count 1 --enable-cluster-autoscaler --min-count 1 --max-count 5 --no-ssh-key --windows-admin-password ****** --windows-admin-username ***** --vm-set-type VirtualMachineScaleSets --node-vm-size Standard_B8ms --network-plugin azure --attach-acr tibcomodelops --output table
Waiting for AAD role to propagate[##### ] 90.0000%Could not create a role assignment for ACR. Are you an Owner on this subscription?
Refer to documentation page:
TIBCO ModelOps Documentation:AKS Installation When registering the application at step:
REGISTER THE APPLICATION, OBTAIN REQUIRED SERVICE PRINCIPAL AND CLIENT SECRETassign the
Owner role to avoid the problem with
acrpush and
acrpull permissions. The Azure
Owner role is needed only for the duration of the '
az aks create' command after which the application role may be set to
Contributor. ModelOps will then run correctly with only
Contributor permissions.
Issue/Introduction
Installation requires the application to have Owner role only for the 'az aks create' command.
Feedback
thumb_up
Yes
thumb_down
No