Update AKS cluster with new service pricipal credentials vs Azure AD Application credentials

Navratil, Jan 11 Reputation points

Disclaimer: I am not very familiar with Azure AD in general and will be glad for any insights :)


We created an app registration a year back that is used by our AKS cluster. Since it was close to expiring we wanted to update the AKS cluster credentials with new sp credentials for an existing sp as described in https://learn.microsoft.com/en-us/azure/aks/update-credentials#update-aks-cluster-with-new-credentials.

However instead of running the following command to get the secret SP_SECRET=$(az ad sp credential reset --id "$SP_ID" --query password -o tsv)

Our admin created a new secret in the app registration and shared it with me

I was assuming that it would be equivalent to the SP_SECRET I would get from the command, but I might be wrong.

I've ran the following command to update the credentials and it finished ok:

az aks update-credentials \
--resource-group myResourceGroup \
--name myAKSCluster \
--reset-service-principal \
--service-principal "$SP_ID" \
--client-secret "${SP_SECRET:Q}"

However it still seems we are using our expired secret. I noticed there is an option to Update AKS cluster with new Azure AD Application credentials, which could may be the one we should have used.
az aks update-credentials \
--resource-group myResourceGroup \
--name myAKSCluster \
--reset-aad \
--aad-server-app-id <SERVER APPLICATION ID> \
--aad-server-app-secret <SERVER APPLICATION SECRET> \
--aad-client-app-id <CLIENT APPLICATION ID>

However I do not really understand the difference and I am not sure which one to use to succesfull update the creds. I'll be glad for any help/insights

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,119 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akram Kathimi 396 Reputation points Microsoft Employee

    Hi @Navratil, Jan ,

    AKS needs an identity to access other AD resources. For this, you have two options:

    1- Managed Identity (newer and easier)

    2- Service Principal (older)

    From the question, I can see that you are using Service Principal for your AKS cluster. The first command you shared that is using --reset-service-principal is the correct command that needs to be used to reset the credentials.

    Now, going to the second command you shared which is using --reset-aad. This command is using to configure user access to the AKS cluster itself (authenticating users when using kubectl for example). I should mention that this feature is deprecated and being remove soon, and it has been replaced by AKS-managed Azure Active Directory integration.

    You mentioned that the cluster is still using the old secret. May I ask how you checked that?

    Thank you !

    No comments