Home / server / Questions / 963481
In Process
Olivier Dauby
Asked: 2019-04-18 06:06:09 +0800 CST

How to grant a Service Principal access to AKS API when RBAC and AAD integration are activated?

  • 772

I need to grant a process (build pipeline) RBAC access to AKS API for deployment purposes. But the target AKS cluster has AAD integration active (as described here)

I was expecting to be able to access the AKS API's with a simple Service Principal, but I'm redirected to a devicelogin page:

$ az login --service-principal  --username [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX --password [REDACTED]XXxxXXxxXXxxxXXXxxXXxxXXxx= --tenant [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX

$ az aks get-credentials -n oli-aksdemo01 -g oli-aksdemo01
Merged "oli-aksdemo01" as current context in /home/olivier/.kube/config

$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code C2NP77EGR to authenticate.

:-(

Is there a way to avoid the devicelogin page when authenticating a Service Principal on an AAD-integrated AKS cluster on Azure ?

active-directory

3 Answers

  1. For anyone out there who still needs this.

    I solved the same issue for my Jenkins pipeline. All you have to do is create a service principal with the cluster scope or subscription.

    #login
az login --service-principal --username <app-key> --password <password> --tenant <tenant>

# Get the admin credentials for the kubeconfig context
az aks get-credentials --resource-group $resourcegroup --name $aksname --admin

#
kubectl get pods

    you should be fine.

    • 3

  2. Unlike @Festus Fashola's answer, which works simply because it's using the --admin flag in the command which bypasses AAD verification (not what the OP was asking), the correct way of doing this now is using KubeLogin, which allows service principal non-interactive authentication: https://github.com/Azure/kubelogin#service-principal-login-flow-non-interactive

    Usage example:

    # login
az login --service-principal --username <sp_client_id> --password <password> --tenant <tenant>

# Get the admin credentials for the kubeconfig context
az aks get-credentials --resource-group <resource_group> --name <aks_name>

# convert your kubeconfig file
kubelogin convert-kubeconfig -l spn

# export variables with sp credentials
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<sp_client_id>
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<sp_password>

# run any kubectl command, you shouldn't get the devicelogin verification message
kubectl get pods
    • 2

  3. TL;DR : It is not possible, yet.
    I asked the very same question to Azure support and here is their answer:

    When the AKS cluster integrated with AAD it will require redirecting to the device login page when authenticating to access to the cluster.

    Access cluster with Azure AD - https://docs.microsoft.com/en-us/azure/aks/aad-integration#access-cluster-with-azure-ad

    Unfortunately this is currently by design and there is no other way to avoid this process at the moment but we would love to hear your voice.

    Would you please provide your feedback through the links below so we may plan in the future.

    https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks

    • 1