Skip to content

docs: use hub agent role for atm feature #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zhiying-lin merged 2 commits into from
Jul 16, 2025
Merged

docs: use hub agent role for atm feature #321

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
079867d
docs: use hub agent role for atm feature
zhiying-lin Jul 15, 2025
2e122e5
address comments
zhiying-lin Jul 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/howtos/traffic-manager-permissions-setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ export MEMBER_IDENTITY_PRINCIPAL_ID=$(az identity show \
## Create the role assignment for the hub agent

### Create the role assignment for the hub agent to manage the Azure Traffic Manager
Assign role “[Traffic Manager Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/networking#traffic-manager-contributor)” to hub cluster identity at the Azure Traffic Manager resource group scope
Assign the “[Azure Kubernetes Fleet Manager Hub Agent Role](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-fleet-manager-hub-agent-role)” to the hub cluster identity at the Azure Traffic Manager resource group scope
```bash
az role assignment create --assignee "${HUB_IDENTITY_PRINCIPAL_ID}" --role "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7" --scope "/subscriptions/mySubscriptions/resourceGroups/MyAzureTrafficManagerResourceGroup"
az role assignment create --assignee "${HUB_IDENTITY_PRINCIPAL_ID}" --role "de2b316d-7a2c-4143-b4cd-c148f6a355a1" --scope "/subscriptions/mySubscriptions/resourceGroups/MyAzureTrafficManagerResourceGroup"
```

### Create the role assignment for the hub agent to read the public IP address used by the member cluster
Expand All @@ -35,10 +35,10 @@ Grant Public IP address read permission to the hub cluster identity so that the

> Note: You can create your own customized role to restrict access or restrict the scope based on your security requirements.

For example, the following command grants the “[Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader)” to the hub cluster identity at the resource group of the public ip scope for testing purpose.
For example, the following command grants the “[Azure Kubernetes Fleet Manager Hub Agent Role](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-fleet-manager-hub-agent-role)” to the hub cluster identity at the resource group of the public ip scope for testing purpose.

```bash
az role assignment create --assignee "${HUB_IDENTITY_PRINCIPAL_ID}" --role "acdd72a7-3385-48ef-bd42-f606fba81ae7" --scope "/subscriptions/mySubscriptions/resourceGroups/MyPIPResourceGroup"
az role assignment create --assignee "${HUB_IDENTITY_PRINCIPAL_ID}" --role "de2b316d-7a2c-4143-b4cd-c148f6a355a1" --scope "/subscriptions/mySubscriptions/resourceGroups/MyPIPResourceGroup"
```

## Create the role assignment for the member agent
Expand Down