OSDOCS-13798 Adding user-specified identities to Azure

modules/installation-azure-permissions.adoc

@@ -10,11 +10,7 @@
 
 Before you create the identity, verify that your environment meets the following requirements based on the identity:
 
-* The Azure account that you use to create the identity is assigned the `User Access Administrator` and `Contributor` roles. These roles are required when:
-
-** Creating a service principal or user-assigned managed identity.
-
-** Enabling a system-assigned managed identity on a virtual machine.
+* The Azure account that you use to create the identity is assigned the `Contributor` role.
 
 * If you are going to use a service principal to complete the installation, verify that the Azure account that you use to create the identity is assigned the `microsoft.directory/servicePrincipals/createAsOwner` permission in Microsoft Entra ID.
 

modules/installation-configuration-parameters.adoc

@@ -1514,6 +1514,46 @@ within link:https://azure.microsoft.com/en-us/global-infrastructure/regions[a re
 |Enables the encryption of the virtual machine guest state for compute nodes. This parameter can only be used if you use Confidential VMs.
 |`VMGuestStateOnly` is the only supported value.
 
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        type:
+|The type of identity used for control plane virtual machine.
+The `UserAssigned` identity is a standalone Azure resource provided by the user and assigned to control plane virtual machines.
+Identity can only be set for control plane nodes.
+If you provide a user-assigned identity, the Azure account that you use to create the identity must have either the "User Access Administrator" or "RBAC Access Admin" roles.
+|`UserAssigned` or `None`.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          name:
+|The name of the user-assigned identity to attach to control plane machines.
+Only one user-assigned identity may be supplied.
+Supplying more than one user-assigned identity is an experimental feature which may be enabled with the `MachineAPIMigration` feature gate.
+|String.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          resourceGroup:
+|The resource group that contains the user-assigned identity.
+|String.
+
+|controlPlane:
+  platform:
+    azure:
+      identity:
+        userAssignedIdentities:
+          subscription:
+|The subscription that contains the user-assigned identity.
+|String.
+
 |controlPlane:
   platform:
     azure:

modules/installation-creating-azure-service-principal.adoc

@@ -14,7 +14,7 @@ If you are unable to use a service principal, you can use a managed identity.
 
 * You have installed or updated the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[{azure-short} CLI].
 * You have an {azure-short} subscription ID.
-* If you are not assigning the `Contributor` and `User Administrator Access` roles to the service principal, you have created a custom role with the required {azure-short} permissions.
+* If you are not assigning the `Contributor` role to the service principal, you have created a custom role with the required {azure-short} permissions.
 
 .Procedure
 
@@ -45,15 +45,4 @@ control. For more information, see https://aka.ms/azadsp-cli
 }
 ----
 +
-Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster.
-
-. If you assigned the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command:
-+
-[source,terminal]
-----
-$ az role assignment create --role "User Access Administrator" \
-  --assignee-object-id $(az ad sp show --id <appId> --query id -o tsv) <1>
-  --scope /subscriptions/<subscription_id> <2>
-----
-<1> Specify the `appId` parameter value for your service principal.
-<2> Specifies the subscription ID.
+Record the values of the `appId` and `password` parameters from the output. You require these values when installing the cluster.

modules/minimum-required-permissions-ipi-azure.adoc

@@ -23,8 +23,6 @@ The following permissions are required for creating an {product-title} cluster o
 ====
 * `Microsoft.Authorization/policies/audit/action`
 * `Microsoft.Authorization/policies/auditIfNotExists/action`
-* `Microsoft.Authorization/roleAssignments/read`
-* `Microsoft.Authorization/roleAssignments/write`
 ====
 
 .Required permissions for creating compute resources
@@ -51,14 +49,6 @@ The following permissions are required for creating an {product-title} cluster o
 * `Microsoft.Compute/virtualMachines/write`
 ====
 
-.Required permissions for creating identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
-====
-
 .Required permissions for creating network resources
 [%collapsible]
 ====
@@ -235,12 +225,6 @@ The following permissions are not required to create the private {product-title}
 
 The following permissions are required for deleting an {product-title} cluster on {azure-full}. You can use the same permissions to delete a private {product-title} cluster on {azure-short}.
 
-.Required permissions for deleting authorization resources
-[%collapsible]
-====
-* `Microsoft.Authorization/roleAssignments/delete`
-====
-
 .Required permissions for deleting compute resources
 [%collapsible]
 ====
@@ -251,12 +235,6 @@ The following permissions are required for deleting an {product-title} cluster o
 * `Microsoft.Compute/virtualMachines/delete`
 ====
 
-.Required permissions for deleting identity management resources
-[%collapsible]
-====
-* `Microsoft.ManagedIdentity/userAssignedIdentities/delete`
-====
-
 .Required permissions for deleting network resources
 [%collapsible]
 ====