From 6d9ca717d19efe7fea97aa49faac2e7b8e3a2430 Mon Sep 17 00:00:00 2001
From: Jusong Yu <jusong.yeu@gmail.com>
Date: Tue, 13 Feb 2024 12:11:28 +0100
Subject: [PATCH] Update the README

---
 README.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1fb5118..e99f497 100644
--- a/README.md
+++ b/README.md
@@ -216,4 +216,15 @@ The CI workflow requires login to the Azure account, and we use OpenID Connect t
 
 Go to the entra.microsoft.com and navigate to the `aiidalab-sp` -> `Certificates & secrets` -> `Fedrated credentials`. Set credentials for the GitHub production and staging environments. 
 
-On the GitHub repository, the secrets are set for `production` and `staging` environments respectively.
\ No newline at end of file
+On the GitHub repository, the secrets are set for `production` and `staging` environments respectively.
+
+The `aiidalab-sp` was only assigned the Contributor role for the VNet, and it is not yet assigned to the resource group. This is to avoid the service principal to have too much access to the resources.
+
+To get the kube credentials, the `aiidalab-sp` should be assigned to cluster `demo-server` as well.
+
+```bash
+az ad sp create-for-rbac \
+   --name aiidalab-sp \
+   --role Contributor \
+   --scopes /subscriptions/<subscription-id>/resourcegroups/aiidalab_demo_server_marvel/providers/Microsoft.ContainerService/managedClusters/demo-server $VNET_ID \
+```
\ No newline at end of file