This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 35%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Hey everyone,
I have been following the "Automate multi-container Kubernetes deployments with Azure Pipelines" module here, I am getting a rather strange error that doesn't seem to be mentioned much on the internet. I do want to note first of all that I did have to change one thing about this setup process - namely the command to create the AKS instance. The one in the module gave me a error. Looking around resulted in me constructing this command that seems to work well - however if this is what is causing my problem please let me know:
az aks create \
--name $aksName \
--resource-group $rgName \
--enable-addons monitoring \
--kubernetes-version $aksVersion \
--generate-ssh-keys \
--node-vm-size standard_ds2 \
--node-count 2
Anyway, the AKS instance seems to be healthy, but when I go to create the Kubernetes Service Connection or the Spike environment, I get a "Could not find any secrets associated with the Service Account". I have tried recreating everything from scratch (deleting the resource-group and creating it whole again), but that doesn't seem to work. I have also researched to see if anyone else has had this issue, but most of the people talk about this error are using the Service Account option for creating the connection, whereas I am using the Azure Subscription option. The sole exception seems to be an some problems people were having with AKS for version 1.23 (and possibly 1.24.4), whereas my AKS instance is version 1.24.6. If anyone could give me any help, I would greatly appreciate it. I have a few ideas that I will try to work on in the meantime - I know Azure has the key vault and other ways to store secrets and service principles. Even though creating those things weren't a part of the module, maybe that is what I need to do.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi @Jimmy Lindsey Thanks for posting your query on Microsoft Q&A.
I am currently gathering information on this known issue and will get back to you shortly with the workarounds.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 3%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hello MS Team
We are currently facing a similar issue while trying to integrate the EKS / AKS Cluster with version 1.24+ to Azure DevOps via Service Connection. We were able to connect via ADO to EKS / AKS versions up to < 1.23 only. Kindly suggest when we can expect to get a solution for this. For your information, we have already opened a ticket with Microsoft Support under Tracking ID #2307270030003923."
UPDATE 4/19:
Since a lot of customers are facing this issue, I got the latest update from the product team on this:
Issue:
When creating Kubernetes service connection using Azure Subscription as the authentication method, it fails with error: Could not find any secrets associated with the Service Account.
Cause:
Unfortunately, there was a change to the AKS version 1.24.x that no longer automatically generates the associated secret for service account. The change was done on the AKS part, but not on the Azure DevOps side. The product team is currently investigating this issue.
The change log for AKS 1.4.x version says -
The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide.
Work done:
There is an internal work item open with the Product team to resolve this. There is no ETA that can be shared at this point but it is in progress.
Workarounds:
For the time being, the easiest fix is to use one of the other two options to configure the Service Connection, KubeConfig or Service Account. You can find both the options explained step-by-step on this Developer Community ticket: New Kubernetes service connection causes an error Could not find any secrets associated with the Service Account. or you can follow the steps required when you attempt to configure a KubeConfig/Service Account Kubernetes Service Connection as explained in the public documentation here: Service connections in Azure Pipelines - Azure Pipelines | Microsoft Learn.
Downgrading to 1.23. version is another option. However, I highly recommend one of these two options (i.e. KubeConfig or Service Account) for the time being and not being stuck for a longer period. There is no estimated time when the Subscription option will be available again. However, Microsoft is working on fixing the situation as they are currently actively investigating the best option to resolve this.
Additional resources to go through on the same issue:
----------
If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread.
And, if you have any further query, do let us know in the comments and I would be happy to investigate further.
Thank you so much! I ended up creating AKS with version 1.23.8 which worked. I did look into the example you provided using KubeConfig, and I think it is something I would consider if I needed a more permanent solution. For me though, I am planning on deleting all of these resources soon.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 19%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
This issue has still not been resolved, which is particulary frustrating as the build pipleine configurator for "Deploy to Azure Kubernetes" and "Deploy to Kubernetes - Review app with Azure DevSpaces" don't work either when creating a new pipeline.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 33%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
How is this still broken? why can't Azure coordinate with itself!?!?!?
Hi Internal Ticket folks, @Anonymous , any update on this? As @Aaron Dyer noted in Jan 17 comment, it's breaking other things, too, and it the work-around for the original problem creates additional complexity.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 22%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
18 February 2023 and the issue which was probably broken before October 2022 remains unfixed. Then how do we always recommend Azure Devops and AKS combination when things go for long without being fixed. Adding complexity uselessly is just plain unproductive. Was perhaps the team that took care of this let off or something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 53%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Adding to this. Running into the issue still. Glad this was the first link that appeared in google, not glad that this complicates setting up the connection or at least creates more steps to achieve the same results.
Hello all, Thanks for all your feedback and shared details. Let me check with the internal team on any update on this work item and get back to you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 28.999999999999996%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
what's the update after 2 weeks???
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Notice has been received from Azure Service Health that AKS is retiring v1.23.x on 2 April 2023.
This problem will need to be resolved in order to keep AKS clusters within supported versions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 75%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFH%3C/text%3E%3C/svg%3E)
Hi, is there any updates on this? Like JasonL mentioned that we can't upgrade until this is resolved, is the same for me.
The solution described in the community issue at start is this thread is a valid solution. It's 2nd option, to create a K8S Service Account for the ADO Envirinment to use provides an approach that is automateble such as for IAC pipelines, and is based on using only K8S objects in the solution.
I've gone with the Service Account Setup and that works just fine. Although running multiple clusters and constantly configuring new ones, it just adds extra steps to use this option. If Kubernetes version 1.24.x introduced the issue of not auto generating the credentials, is there going to be a fix soon to address this as Azure recommended default version is 1.24.x?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 34%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
It works for me when creating service connection but coping with this message error "Could not find any secrets associated with the Service Account." when trying to create environment with resource kubernetes. Can anybody help please ?Screenshot 2023-04-18 185111.png
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 5%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello. This very same month Azure has deprecated AKS versions bellow 1.24, so you are forced to upgrade at least to 1.24 to keep your AKS support. Currently I am unable to add kubernetes resources to my Azure Devops environments and now I see this is has been reported like 6 months ago... is there any ETA for a fix?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 28.999999999999996%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
If any of the above solutions didn't worked, try this. Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file, Open AKS in azure portal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 76%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Please read previous comments. it is not working if the cluster version is greater than 1.23 and there is no way to downgrade the version nor there is any warning when upgrading to the new version that this functionality is lost. Currently we are stuck on being able to create a service to an aks cluster that is created/upgraded to the latest version.
Hello @prashanth destroyer . Your suggestion works using AKS 1.24.10.
Thanks a lot!
Hi @Guillermo Abdon I’m glad it helped ☺️
Hi @Florin I’m using the command (“az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin”) along with a “--admin” flag. So, it is working for me for the latest AKS version.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 30%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
When I configure a pipeline, make a loop and aks for service account again. Workarounds doesn't work well, this is horrible after upgrade 1.24. MS is developing new version, to fix this? i tried to upgrade the latest version at this month is 1.26, figure out same situation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 94%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
Please choose "KubeConfig" instead of "Azure Subscription" and copy all contents from "/root/.kube/config" file and paste in the "KubeConfig" box. Fill the remaining details and click "verify and save" button.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 80%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hi, in my case I tried that option also. But still the same error. Can you please elaborate further on this ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 18%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
this option stopped working too.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 91%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
In my case, I still could not successfully establish the pipeline. It shows me the same error: Could not find any secrets associated with the Service Account. Please let me know if I am missing anything here.
Using KubeConfig fails for me when testing new pipeline creation on AKS 1.24.x+ clusters.
Using the Service account method appears to work in testing, however, is a considerably more complicated process (Reference method 2 from https://developercommunity.visualstudio.com/t/New-Kubernetes-service-connection-causes/10138123). Note that the process from method 2 shows the basic initial steps and does not cover creating an environment, nothing in regards to the ACR side of the pipeline setup, nor modifications to the pipeline yaml to call the appropriate variables that the pipeline creation would normally automate on AKS version 1.23 and lower.
@JasonL thank you! The approach #2 worked. For others that are still having the issue I am re-iterating here the process:
# for aks version greater than 1.23 we have to handle the pipeline service manually
# https://developercommunity.visualstudio.com/t/New-Kubernetes-service-connection-causes/10138123
#
# 1. Run this yaml file using the kubectl apply -f pipeline-account.yml
# 2. Get the secret by running the following command.
# kubectl get secret sa-secret -n default -o json
# 3. Get kubernetes server URL
# kubectl config view --minify -o jsonpath={.clusters[0].cluster.server}
# 4. Create the Kubernetes service connection using the Service account method.
# Enter the correct values and the Secret json output from above step (step2) - > Save.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pipeline-serviceaccount
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-for-pipeline-serviceaccount
# namespace: default
rules:
- apiGroups: ["*","apps","extensions"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rolebinding-for-pipeline-serviceaccount
# namespace: default
subjects:
- kind: ServiceAccount
name: pipeline-serviceaccount
namespace: default # this is the namespace your service account is in
roleRef:
kind: ClusterRole
name: role-for-pipeline-serviceaccount
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: sa-secret
annotations:
kubernetes.io/service-account.name: "pipeline-serviceaccount"
---
The yaml above will provide cluster wide access.
If you only need access to specific namespace change the ClusterRole and ClusterRoleBinding objects to Role and RoleBinding and uncomment the namespace lines which will give access only to the default namespace.
You can change the namespace in the code above as needed if you need access to another namespace than default.
Let's hope that Microsoft will provide changes to the Azure Pipeline services UI that will help in making this process easier again.
@florin Thanks for that. That worked like a charm!