Cannot setup a Kubernetes Service Connection without enabling local accounts

Ana Louro 36 Reputation points
2022-10-14T11:13:37.973+00:00

I have created a new dev cluster with Azure AD authentication and Azure RBAC for authentication and authorization purposes - as I assumed it would be more effective in managing access to the cluster.

However, I have come across some challenges and one of them is that I can't create a Kubernetes Service Connection for a pipeline in DevOps.
I can load the subscription name, then the cluster name, but I can't access the namespace name.

See image below:

250469-aks.png

With the following error:
Uncaught (in promise) TFS.WebApi.Exception: Error while fetching cluster credentials. Make sure you have clusterAdmin permissions on the cluster. Error from external server: Failed to query service connection API: 'https://management.azure.com/subscriptions/*****/resourcegroups/*****/providers/Microsoft.ContainerService/managedClusters/*****/accessProfiles/clusterAdmin/listCredential?api-version=2018-03-31'. Status Code: 'BadRequest', Response from server: '{
"code": "BadRequest",
"message": "Getting static credential is not allowed because this cluster is set to disable local accounts.",
"subcode": ""
}'
at t.Fetch.issueRequest (https://cdn.vsassets.io/ext/ms.vss-web/platform-content/ms.vss-web.platform-content.es6.B3ZnRz.min.js:1:13449)
at async o._issueRequest (https://cdn.vsassets.io/ext/ms.vss-web/platform-content/ms.vss-web.platform-content.es6.B3ZnRz.min.js:1:21157)

Based on this error I have granted the cluster all the available admin roles in the Azure Portal and I have also created an admin permissions in CLI to match the error: subscriptions/*****/resourcegroups/*****/providers/Microsoft.ContainerService/managedClusters/*****/accessProfiles/clusterAdmin/listCredential

But nothing has worked so far.

Has someone had this issue before? How to go around it?

Thank you :)

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,884 questions
0 comments No comments
{count} votes

Accepted answer
  1. KarishmaTiwari-MSFT 18,627 Reputation points Microsoft Employee
    2022-11-10T03:01:13.823+00:00

    Sharing the resolution that Customer received from the support team so that it can help others in the community:

    In order to create Service Connections in DevOps, no matter what type of cluster configuration you have, local accounts need to be enabled, otherwise it is not possible to create a DevOps Service Connection.

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 13,956 Reputation points MVP
    2022-10-14T15:32:08.78+00:00

    Hi @Ana Louro

    Thanks for using Q & A forum.

    You required to assign permissions to the below two built-in roles

    • Azure Kubernetes Service Cluster Admin Role
      Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call. This API call lists the cluster admin credentials.
    • Azure Kubernetes Service Cluster User Role
      Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call. This API call lists the cluster user credentials.

    To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group.

    -----

    If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.


  2. Ana Louro 36 Reputation points
    2022-10-31T16:23:23.567+00:00

    Hi @SUNOJ KUMAR YELURU ,

    Thank you for your answer - I'm sorry it has taken me this long to reply.

    I have tried to assign both roles Azure Kubernetes Service Cluster Admin Role + Azure Kubernetes Service Cluster User Role to my user in order to access the namespace when creating the Kubernetes Service Connection - the roles were added successfully by following the commands on the link suggested:

    Get the resource ID of your AKS cluster
    AKS_CLUSTER=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query id -o tsv)

    Get the account credentials for the logged in user
    ACCOUNT_UPN=$(az account show --query user.name -o tsv)
    ACCOUNT_ID=$(az ad user show --id $ACCOUNT_UPN --query objectId -o tsv)

    Assign the 'Cluster Admin' role to the user
    az role assignment create \
    --assignee $ACCOUNT_ID \
    --scope $AKS_CLUSTER \
    --role "Azure Kubernetes Service Cluster Admin Role"

    However, the issue persists, and I'm still getting the error:
    Uncaught (in promise) TFS.WebApi.Exception: Error while fetching cluster credentials. Make sure you have clusterAdmin permissions on the cluster. Error from external server: Failed to query service connection API: 'https://management.azure.com/subscriptions/xxxx/resourcegroups/xxxx/providers/Microsoft.ContainerService/managedClusters/xxxx/accessProfiles/clusterAdmin/listCredential?api-version=2018-03-31'. Status Code: 'BadRequest', Response from server: '{
    "code": "BadRequest",
    "message": "Getting static credential is not allowed because this cluster is set to disable local accounts.",
    "subcode": ""
    }'

    0 comments No comments

  3. Sebastian Pacheco 136 Reputation points
    2024-03-01T18:10:18.3633333+00:00

    Is there still the same problem? Is there a solution other than using local accounts?

    0 comments No comments

  4. Sebastian Pacheco 136 Reputation points
    2024-03-04T16:36:07.4333333+00:00

    Is there still the same problem? Is there a solution other than using local accounts?

    0 comments No comments