OSDOCS-13798 Modifying azure identity params with new default behavior

bscott-rh · bscott-rh · commit deca39aa75cc · 2025-06-05T22:30:30.000-04:00
diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
@@ -1462,6 +1462,30 @@ within link:https://azure.microsoft.com/en-us/global-infrastructure/regions[a re
 |The version number of the image SKU. If you use `compute.platform.azure.osImage.publisher`, this field is required.
 |String. The version of the image to use.
 
+|compute:
+  platform:
+    azure:
+      identity:
+        type:
+|The type of identity used for compute virtual machines.
+The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to compute virtual machines.
+If you specify `identity.type` as `UserAssigned`, but do not provide a user-assigned identity, the installation program creates the identity.
+If you provide a user-assigned identity, the Azure account that you use to create the identity must have either the "User Access Administrator" or "RBAC Access Admin" roles.
+|`UserAssigned` or `None`. If you do not specify a value, the installation program generates a user-assigned identity.
+
+|compute:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+        - name:
+          resourceGroup:
+          subscription:
+|A group of parameters that specify the name of the user-assigned identity, and the resource group and subscription that contain the identity. All three values must be provided to specify a user-assigned identity.
+Only one user-assigned identity can be supplied.
+Supplying more than one user-assigned identity is an experimental feature, which may be enabled with the `MachineAPIMigration` feature gate.
+|Array of strings.
+
 |compute:
   platform:
     azure:
@@ -1540,6 +1564,30 @@ within link:https://azure.microsoft.com/en-us/global-infrastructure/regions[a re
 |Enables the encryption of the virtual machine guest state for compute nodes. This parameter can only be used if you use Confidential VMs.
 |`VMGuestStateOnly` is the only supported value.
 
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        type:
+|The type of identity used for control plane virtual machines.
+The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines.
+If you specify `identity.type` as `UserAssigned`, but do not provide a user-assigned identity, the installation program creates the identity.
+If you provide a user-assigned identity, the Azure account that you use to create the identity must have either the "User Access Administrator" or "RBAC Access Admin" roles.
+|`UserAssigned` or `None`. If you do not specify a value, the installation program generates a user-assigned identity.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+        - name:
+          resourceGroup:
+          subscription:
+|A group of parameters that specify the name of the user-assigned identity, and the resource group and subscription that contain the identity. All three values must be provided to specify a user-assigned identity.
+Only one user-assigned identity can be supplied.
+Supplying more than one user-assigned identity is an experimental feature, which may be enabled with the `MachineAPIMigration` feature gate.
+|Array of strings.
+
 |controlPlane:
   platform:
     azure:
@@ -1659,6 +1707,30 @@ within link:https://azure.microsoft.com/en-us/global-infrastructure/regions[a re
 |Enables the vTPM feature on all nodes if you are using trusted launch.
 |`Enabled` or `Disabled`. The default is `Disabled`.
 
+|platform:
+  azure:
+    defaultMachinePlatform:
+      identity:
+        type:
+|The type of identity used for all virtual machines.
+The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to all virtual machines.
+If you specify `identity.type` as `UserAssigned`, but do not provide a user-assigned identity, the installation program creates the identity.
+If you provide a user-assigned identity, the Azure account that you use to create the identity must have either the "User Access Administrator" or "RBAC Access Admin" roles.
+|`UserAssigned` or `None`. If you do not specify a value, the installation program generates a user-assigned identity.
+
+|platform:
+  azure:
+    defaultMachinePlatform:
+      identity:
+        userAssignedIdentities:
+        - name:
+          resourceGroup:
+          subscription:
+|A group of parameters that specify the name of the user-assigned identity, and the resource group and subscription that contain the identity. All three values must be provided to specify a user-assigned identity.
+Only one user-assigned identity can be supplied.
+Supplying more than one user-assigned identity is an experimental feature, which may be enabled with the `MachineAPIMigration` feature gate.
+|Array of strings.
+
 |platform:
   azure:
     defaultMachinePlatform:
diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc
@@ -12,6 +12,8 @@ The following options are available to you:
 
 * You can assign the identity the `Contributor` and `User Access Administrator` roles, which grant all of the required permissions.
 +
+If you set `identity.type` to `None` in the `install-config.yaml` file, you do not need to assign the `User Access Administrator` role to the service principal.
++
 For more information about assigning roles, see the Azure documentation for link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[managing access to Azure resources using the Azure portal].
 
 * If the security policies of your organization require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions.
@@ -27,6 +29,26 @@ The following permissions are required for creating an {product-title} cluster o
 * `Microsoft.Authorization/roleAssignments/write`
 ====
 
+[IMPORTANT]
+====
+The following permissions are not required if you set `identity.type` to `None` in the `install-config.yaml` file:
+
+* `Microsoft.Authorization/roleAssignments/read`
+* `Microsoft.Authorization/roleAssignments/write`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
+* `Microsoft.Authorization/roleAssignments/delete`
+
+The following permissions are not required if you set `identity.type` to `UserAssigned` in the `install-config.yaml` file and provide a user-assigned identity:
+
+* `Microsoft.Authorization/roleAssignments/read`
+* `Microsoft.Authorization/roleAssignments/write`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
+* `Microsoft.Authorization/roleAssignments/delete`
+
+====
+
 .Required permissions for creating compute resources
 [%collapsible]
 ====
@@ -134,6 +156,13 @@ The following permissions are not required to create the private {product-title}
 * `Microsoft.Resources/subscriptions/resourcegroups/write`
 ====
 
+.Optional permissions for attaching an existing user-assigned identity to a node
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
+====
+
 .Required permissions for creating resource tags
 [%collapsible]
 ====
