This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 9%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
I have created a new dev cluster with Azure AD authentication and Azure RBAC for authentication and authorization purposes - as I assumed it would be more effective in managing access to the cluster.
However, I have come across some challenges and one of them is that I can't create a Kubernetes Service Connection for a pipeline in DevOps.
I can load the subscription name, then the cluster name, but I can't access the namespace name.
See image below:
With the following error:
Uncaught (in promise) TFS.WebApi.Exception: Error while fetching cluster credentials. Make sure you have clusterAdmin permissions on the cluster. Error from external server: Failed to query service connection API: 'https://management.azure.com/subscriptions/*****/resourcegroups/*****/providers/Microsoft.ContainerService/managedClusters/*****/accessProfiles/clusterAdmin/listCredential?api-version=2018-03-31'. Status Code: 'BadRequest', Response from server: '{
"code": "BadRequest",
"message": "Getting static credential is not allowed because this cluster is set to disable local accounts.",
"subcode": ""
}'
at t.Fetch.issueRequest (https://cdn.vsassets.io/ext/ms.vss-web/platform-content/ms.vss-web.platform-content.es6.B3ZnRz.min.js:1:13449)
at async o._issueRequest (https://cdn.vsassets.io/ext/ms.vss-web/platform-content/ms.vss-web.platform-content.es6.B3ZnRz.min.js:1:21157)
Based on this error I have granted the cluster all the available admin roles in the Azure Portal and I have also created an admin permissions in CLI to match the error: subscriptions/*****/resourcegroups/*****/providers/Microsoft.ContainerService/managedClusters/*****/accessProfiles/clusterAdmin/listCredential
But nothing has worked so far.
Has someone had this issue before? How to go around it?
Thank you :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Sharing the resolution that Customer received from the support team so that it can help others in the community:
In order to create Service Connections in DevOps, no matter what type of cluster configuration you have, local accounts need to be enabled, otherwise it is not possible to create a DevOps Service Connection.
HBI @KarishmaTiwari-MSFT thanks for the update.
So in order to have ADO service connection working, we are putting a non recommended configuration in our AKS which is local accounts enabled and with that having a possibility of a breach in security.
Thanks.
Renato
Hi @Renato Ribeiro ,
The message @KarishmaTiwari-MSFT posted is the resolution I got from Microsoft Support - unfortunately it does look like the only way of creating a Service Connection in DevOps is to enable local accounts - I talked to multiple engineers and tried several cluster configurations to bypass this issue, but Microsoft's final response was:
I am afraid that to create the Kubernetes service connection in Azure DevOps, it is required to enable the Kubernetes local accounts. I am afraid that it is currently the limitation in the Azure DevOps. As a support engineer, I understand this limitation is unexpected based on your scenarios and duly apologize for the inconvenience brought by the issue. You’re understanding and bearing with us at the moment are much appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 70%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
A year later - this is still the case it seems.
Hi @Ana Louro
Thanks for using Q & A forum.
You required to assign permissions to the below two built-in roles
To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group.
-----
If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
Hello,
I'm also facing the same problem. I tried with Azure AD with Azure RBAC and then assigned a group, or a Service Principal or even my user, and still stucked with the error "Status Code: 'BadRequest', Response from server: '{ "code": "BadRequest", "message": "Getting static credential is not allowed because this cluster is set to disable local accounts.", "subcode": "" }'".
I performed the command as the documentation https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac, where I used a Service Principal (the same used on my service connection on DevOps) with the command $az role assignment create --role "Azure Kubernetes Service Cluster Admin Role" --assignee $mySP-ID --scope $myAKS_ID (performd also for Reader Role).
I'm also able to see under AKS IAM that the roles were created.
Any reason for this?
Thanks
Hi @SUNOJ KUMAR YELURU ,
Thank you for your answer - I'm sorry it has taken me this long to reply.
I have tried to assign both roles Azure Kubernetes Service Cluster Admin Role + Azure Kubernetes Service Cluster User Role to my user in order to access the namespace when creating the Kubernetes Service Connection - the roles were added successfully by following the commands on the link suggested:
Get the resource ID of your AKS cluster
AKS_CLUSTER=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query id -o tsv)
Get the account credentials for the logged in user
ACCOUNT_UPN=$(az account show --query user.name -o tsv)
ACCOUNT_ID=$(az ad user show --id $ACCOUNT_UPN --query objectId -o tsv)
Assign the 'Cluster Admin' role to the user
az role assignment create \
--assignee $ACCOUNT_ID \
--scope $AKS_CLUSTER \
--role "Azure Kubernetes Service Cluster Admin Role"
However, the issue persists, and I'm still getting the error:
Uncaught (in promise) TFS.WebApi.Exception: Error while fetching cluster credentials. Make sure you have clusterAdmin permissions on the cluster. Error from external server: Failed to query service connection API: 'https://management.azure.com/subscriptions/xxxx/resourcegroups/xxxx/providers/Microsoft.ContainerService/managedClusters/xxxx/accessProfiles/clusterAdmin/listCredential?api-version=2018-03-31'. Status Code: 'BadRequest', Response from server: '{
"code": "BadRequest",
"message": "Getting static credential is not allowed because this cluster is set to disable local accounts.",
"subcode": ""
}'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 18%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Is there still the same problem? Is there a solution other than using local accounts?
Is there still the same problem? Is there a solution other than using local accounts?