Azure Subscription ☁️

Komodor's Azure integration discovers your AKS clusters and pulls read-only metadata so you can view workload health, costs, and right-sizing recommendations without granting write access.


How it works

You create an Azure App Registration (service principal) with the built-in Reader role on your subscription, then hand the credentials to Komodor. Komodor stores the client secret encrypted and uses it only to list and describe your AKS resources.


Prerequisites

- Azure CLI installed — `az --version`
- Owner or User Access Administrator on the target subscription
- Active `az` login — `az login`
- A Komodor API key (find it under Settings → API Keys)


Setup

Option 1 — Automated setup script


Download and run the script. It creates the app registration, assigns the Reader role, and registers the integration in one step.
 
bash
bash setup-azure-integration.sh \
--subscription-id <your-subscription-id> \
--komodor-api-key <your-api-key>
 
For multiple subscriptions, need to run it separately for each subscription.
 
Optional flags:
 
FlagDescriptionDefault
--subscription-idAzure subscription IDrequired
--komodor-api-keyKomodor API keyrequired
--account-nameDisplay name in Komodor Subscription display name
--tenant-idAzure tenant IDCurrent `az login` tenant 
 

Option 2 — Azure CLI (step by step)

 

Set your subscription

bash
az account set --subscription <your-subscription-id>
 


Create the app registration

bash
APP_ID=$(az ad app create --display-name "komodor" --query appId -o tsv)
echo "App ID: $APP_ID"
 


Create a service principal

bash
az ad sp create --id "$APP_ID"

 

Create a client secret

bash
az ad app credential reset --id "$APP_ID" --years 2
 
This outputs three values — save them all:
Output field Komodor field
appIdclientId
passwordclientSecret (shown once only)
tenanttenantId
 

Assign the Reader role on the subscription

bash
az role assignment create \
--assignee "$APP_ID" \
--role "Reader" \
--scope "/subscriptions/<your-subscription-id>"
 

Register the integration

bash
curl -X POST https://api.komodor.com/api/v2/integrations/azure \
-H "X-API-KEY: <your-api-key>" \
-H "Content-Type: application/json" \
-d '{
"accountName": "<display-name>",
"tenantId": "<tenant-id>",
"clientId": "<app-id>",
"clientSecret": "<client-secret>",
"subscriptionId": "<your-subscription-id>"
}'


Option 3 — Azure Portal

1. Go to Azure Active Directory → App registrations → New registration
- Name: `komodor`
- Supported account types: Accounts in this organizational directory only
- Click Register
 
2. On the app's overview page, note the Application (client) ID and Directory (tenant) ID
 
3. Go to Certificates & secrets → New client secret
- Description: `komodor`
- Expiry: 24 months
- Click Add — copy the Value immediately (it won't be shown again)
 
4. Go to Subscriptions → [your subscription] → Access control (IAM) → Add role assignment**
- Role: `Reader`
- Assign access to: User, group, or service principal
- Search for and select your `komodor` app registration
- Click Review + assign
 
5. Register the integration via the API (same `curl` command as Option 2, step 6)

 

Verify the connection 

A successful `POST` returns `HTTP 201` with an integration ID and initial status:
{
"id": "...",
"status": "connected",
"verificationStatus": "pending"
}
 
`verificationStatus` transitions to `verified` within 2–3 minutes. Poll with:
 
bash
curl https://api.komodor.com/api/v2/integrations/azure/<integration-id> \
-H "X-API-KEY: <your-api-key>" \
| python3 -m json.tool
 

Required permissions

The built-in Reader role covers everything Komodor needs. If your security policy requires a custom role, the minimum permissions are:

 

PermissionPurpose
Microsoft.ContainerService/managedClusters/readDiscover and read AKS clusters
Microsoft.ContainerService/managedClusters/agentPools/readRead node pool details
Microsoft.Resources/subscriptions/resourceGroups/readEnumerate resource groups
Microsoft.Authorization/roleAssignments/readValidate role assignments


Troubleshooting 

`verificationStatus` stays `pending` after 5 minutes
Role assignments can take a few minutes to propagate. If it stays `pending` past 10 minutes, confirm the Reader role is assigned at the subscription scope (not a resource group or individual resource).
 
`HTTP 401 Unauthorized`
The `X-API-KEY` header is missing or the key is invalid. Verify your API key under **Settings → API Keys**.
 
`HTTP 422 All checks failed`
The credentials are invalid, or the Reader role hasn't propagated yet. Double-check `tenantId`, `clientId`, `clientSecret`, and `subscriptionId`, then wait 2 minutes and retry.
 
`HTTP 409 Conflict`
An integration for this subscription already exists. Remove the existing one first via `DELETE /api/v2/integrations/azure/<id>`, then retry.


 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.