openshift · bscott-rh · May 14, 2025 · patrickdillon · May 21, 2025 · jinyunma
diff --git a/modules/installation-azure-create-resource-group-and-identity.adoc b/modules/installation-azure-create-resource-group-and-identity.adoc
@@ -19,7 +19,7 @@ endif::[]
 = Creating the Azure resource group
 
 ifdef::azure[]
-You must create a Microsoft Azure link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups[resource group] and an identity for that resource group. These are both used during the installation of your {product-title} cluster on Azure.
+You must create a Microsoft Azure link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups[resource group] before installing your {product-title} on {azure-first}.
 endif::azure[]
 ifdef::ash[]
 You must create a Microsoft Azure link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups[resource group]. This is used during the installation of your {product-title} cluster on Azure Stack Hub.
@@ -39,51 +39,6 @@ endif::ash[]
 $ az group create --name ${RESOURCE_GROUP} --location ${AZURE_REGION}
 ----
 
-ifdef::azure[]
-. Create an Azure identity for the resource group:
-+
-[source,terminal]
-----
-$ az identity create -g ${RESOURCE_GROUP} -n ${INFRA_ID}-identity
-----
-+
-This is used to grant the required access to Operators in your cluster. For
-example, this allows the Ingress Operator to create a public IP and its load
-balancer. You must assign the Azure identity to a role.
-
-. Grant the Contributor role to the Azure identity:
-
-.. Export the following variables required by the Azure role assignment:
-+
-[source,terminal]
-----
-$ export PRINCIPAL_ID=`az identity show -g ${RESOURCE_GROUP} -n ${INFRA_ID}-identity --query principalId --out tsv`
-----
-+
-[source,terminal]
-----
-$ export RESOURCE_GROUP_ID=`az group show -g ${RESOURCE_GROUP} --query id --out tsv`
-----
-
-.. Assign the Contributor role to the identity:
-+
-[source,terminal]
-----
-$ az role assignment create --assignee "${PRINCIPAL_ID}" --role 'Contributor' --scope "${RESOURCE_GROUP_ID}"
-----
-+
-[NOTE]
-====
-If you want to assign a custom role with all the required permissions to the identity, run the following command:
-[source,terminal]
-----
-$ az role assignment create --assignee "${PRINCIPAL_ID}" --role <custom_role> \ <1>
---scope "${RESOURCE_GROUP_ID}"
-----
-<1> Specifies the custom role name.
-====
-endif::azure[]
-
 ifeval::["{context}" == "installing-azure-user-infra"]
 :!azure:
 endif::[]

diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
@@ -1531,6 +1531,46 @@ within link:https://azure.microsoft.com/en-us/global-infrastructure/regions[a re
 |Enables the encryption of the virtual machine guest state for compute nodes. This parameter can only be used if you use Confidential VMs.
 |`VMGuestStateOnly` is the only supported value.
 
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        type:
+|The type of identity used for control plane virtual machine.
+The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines.
+Identity can only be set for control plane nodes.
+If you provide a user-assigned identity, the Azure account that you use to create the identity must have either the "User Access Administrator" or "RBAC Access Admin" roles.
+|`UserAssigned` or `None`.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          name:
+|The name of the user-assigned identity to attach to control plane machines.
+Only one user-assigned identity may be supplied.
+Supplying more than one user-assigned identity is an experimental feature which may be enabled with the `MachineAPIMigration` feature gate.
+|String.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          resourceGroup:
+|The resource group that contains the user-assigned identity.
+|String.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          subscription:
+|The subscription that contains the user-assigned identity.
+|String.
+
 |controlPlane:
   platform:
     azure:

diff --git a/modules/installation-creating-azure-bootstrap.adoc b/modules/installation-creating-azure-bootstrap.adoc
@@ -36,9 +36,6 @@ support with your installation logs.
 .Prerequisites
 
 * Create and configure networking and load balancers in {cp}.
-ifndef::ash[]
-* Create the {cp} identity and grant the appropriate roles.
-endif::ash[]
 
 .Procedure
 

diff --git a/modules/installation-creating-azure-service-principal.adoc b/modules/installation-creating-azure-service-principal.adoc
@@ -14,7 +14,7 @@ If you are unable to use a service principal, you can use a managed identity.
 
 * You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[{azure-short} CLI].
 * You have an {azure-short} subscription ID.
-* If you are not assigning the `Contributor` and `User Administrator Access` roles to the service principal, you have created a custom role with the required {azure-short} permissions.
+* If you are not assigning the `Contributor` role to the service principal, you have created a custom role with the required {azure-short} permissions.
 
 .Procedure
 
@@ -45,15 +45,4 @@ control. For more information, see https://aka.ms/azadsp-cli
 }
 ----
 +
-Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster.
-
-. If you assigned the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command:
-+
-[source,terminal]
-----
-$ az role assignment create --role "User Access Administrator" \
-  --assignee-object-id $(az ad sp show --id <appId> --query id -o tsv) <1>
-  --scope /subscriptions/<subscription_id> <2>
-----
-<1> Specify the `appId` parameter value for your service principal.
-<2> Specifies the subscription ID.
+Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster.
diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc
@@ -23,8 +23,6 @@ The following permissions are required for creating an {product-title} cluster o
 ====
 * `Microsoft.Authorization/policies/audit/action`
 * `Microsoft.Authorization/policies/auditIfNotExists/action`
-* `Microsoft.Authorization/roleAssignments/read`
-* `Microsoft.Authorization/roleAssignments/write`
 ====
 
 .Required permissions for creating compute resources
@@ -51,14 +49,6 @@ The following permissions are required for creating an {product-title} cluster o
 * `Microsoft.Compute/virtualMachines/write`
 ====
 
-.Required permissions for creating identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
-====
-
 .Required permissions for creating network resources
 [%collapsible]
 ====
@@ -134,6 +124,13 @@ The following permissions are not required to create the private {product-title}
 * `Microsoft.Resources/subscriptions/resourcegroups/write`
 ====
 
+.Optional permissions for using a user-assigned identity
-.Optional permissions for using a user-assigned identity
+.Optional permissions for attaching an existing user-assigned identity to a node
-.Optional permissions for using a user-assigned identity
+.Optional permissions for attaching an existing user-assigned identity to a node
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
+====
+
 .Required permissions for creating resource tags
 [%collapsible]
 ====
@@ -235,12 +232,6 @@ The following permissions are not required to create the private {product-title}
 
 The following permissions are required for deleting an {product-title} cluster on {azure-full}. You can use the same permissions to delete a private {product-title} cluster on {azure-short}.
 
-.Required permissions for deleting authorization resources
-[%collapsible]
-====
-* `Microsoft.Authorization/roleAssignments/delete`
-====
-
 .Required permissions for deleting compute resources
 [%collapsible]
 ====
@@ -251,12 +242,6 @@ The following permissions are required for deleting an {product-title} cluster o
 * `Microsoft.Compute/virtualMachines/delete`
 ====
 
-.Required permissions for deleting identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/delete`
-====
-
 .Required permissions for deleting network resources
 [%collapsible]
 ====

diff --git a/modules/minimum-required-permissions-upi-azure.adoc b/modules/minimum-required-permissions-upi-azure.adoc
@@ -10,7 +10,7 @@ The installation program requires access to an Azure service principal or manage
 
 The following options are available to you:
 
-* You can assign the identity the `Contributor` and `User Access Administrator` roles. Assigning these roles is the quickest way to grant all of the required permissions.
+* You can assign the identity the `Contributor` role. Assigning this roles is the quickest way to grant all of the required permissions.
 +
 For more information about assigning roles, see the Azure documentation for link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[managing access to Azure resources using the Azure portal].
 * If your organization's security policies require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions.
@@ -22,8 +22,6 @@ The following permissions are required for creating an {product-title} cluster o
 ====
 * `Microsoft.Authorization/policies/audit/action`
 * `Microsoft.Authorization/policies/auditIfNotExists/action`
-* `Microsoft.Authorization/roleAssignments/read`
-* `Microsoft.Authorization/roleAssignments/write`
 ====
 
 .Required permissions for creating compute resources
@@ -53,13 +51,6 @@ The following permissions are required for creating an {product-title} cluster o
 * `Microsoft.Compute/virtualMachines/deallocate/action`
 ====
 
-.Required permissions for creating identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
-====
 
 .Required permissions for creating network resources
 [%collapsible]
@@ -180,12 +171,6 @@ The following permissions are required for creating an {product-title} cluster o
 
 The following permissions are required for deleting an {product-title} cluster on Microsoft Azure.
 
-.Required permissions for deleting authorization resources
-[%collapsible]
-====
-* `Microsoft.Authorization/roleAssignments/delete`
-====
-
 .Required permissions for deleting compute resources
 [%collapsible]
 ====
@@ -197,12 +182,6 @@ The following permissions are required for deleting an {product-title} cluster o
 * `Microsoft.Compute/images/delete`
 ====
 
-.Required permissions for deleting identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/delete`
-====
-
 .Required permissions for deleting network resources
 [%collapsible]
 ====