Azure Kubernetes Setup - Prerequisites for Codiac on AKS | Setup Guide
Before you use Codiac with Azure, you need the following:
- An Azure user account with credentials.
- An Azure subscription with permission to create AKS clusters.
- A CSP Tenant Profile (App Registration) configured for Codiac — see full setup below.
- Optional: An Azure Container Registry (ACR) for hosting your container images.
Quick Start
The fastest route is to have a Global Administrator run the CSP Tenant Profile setup script. This creates the App Registration and assigns all needed roles in one step.
Having a Global Administrator perform the setup is fine for getting started. For production, we recommend following least privilege by assigning only the specific Entra ID roles and Azure RBAC roles documented below.
Required Entra ID Roles
The user who creates clusters through Codiac needs these Entra ID roles:
| Entra Role | Why |
|---|---|
Cloud Application Administrator | Codiac creates a dedicated Service Principal for each AKS cluster. This role grants the ability to create and manage App Registrations and Service Principals. |
Privileged Role Administrator | Required to grant admin consent on the API permissions that the Codiac App Registration needs. |
Users who only deploy applications (not create clusters) do not need these elevated roles. They just need access to the Codiac platform and the appropriate Codiac RBAC permissions.
Required Azure RBAC Roles
The Codiac Relay App Registration (Service Principal) needs these Azure resource roles:
| Resource | Role | Why |
|---|---|---|
| Each Subscription | Azure Kubernetes Service Cluster Admin | Create, manage, list, and access AKS clusters. |
| Each ACR | Reader, AcrPull, AcrPush, AcrDelete | Read, pull, push, and clean up container images. |
| Each Key Vault | Key Vault Reader | Read secrets and certificates. |
Least Privilege
Azure privilege settings and Entra ID role definitions can change. We cannot provide support for navigating the Azure IAM or Entra systems. The information below is accurate as of February 2026.
For production usage, follow the principle of least privilege. The CSP Tenant Profile page documents every Azure permission Codiac requires, broken down by:
- Entra ID directory roles — for the user creating clusters
- OAuth2 delegated scopes — configured on the App Registration
- Azure RBAC roles — assigned to the Codiac Relay principal
- ARM actions — the specific Azure Resource Manager operations each role enables
- MS Graph permissions — for creating per-cluster Service Principals
The page also provides:
- A setup script you can copy, fill in your values, and run to create the App Registration and assign all roles.
- A verification script to check whether your existing setup has all the permissions Codiac needs.
Full Setup Guide
See Azure CSP Tenant Profile Setup for the complete walkthrough including:
- Why Codiac uses an App Registration (and what that means vs. Enterprise Applications)
- How the two-identity model works (platform identity vs. per-cluster identity)
- Manual portal setup steps
- Automated CLI scripts for setup and verification
- Troubleshooting common permission errors