How get bearer token for AKS cluster version 1.24.6

Question

How get bearer token for AKS cluster version 1.24.6

Veeru Chinta 21

Hi,

I have created an AKS cluster using version - 1.24.6

Ran AZ cloud shell command "az aks get-credentials" command to get credentials for AKS cluster - I refered this doc - https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials

It generated a "config" file in the location - ~/.kube/.
conifg file does not contain token. But, it has command kubelogin

apiVersion: v1
clusters:

cluster:
certificate-authority-data: Redacted string
server: https://serverredacted.hcp.westus2.azmk8s.io:443
name: AKSCluster
contexts:
context:
cluster: AKSCluster
user: clusterUser_AKSGroup_AKSCluster
name: AKSCluster
current-context: AKSCluster
kind: Config
preferences: {}
users:
name: clusterUser_AKSGroup_AKSCluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
get-token
--environment
AzurePublicCloud
--server-id
redacted
--client-id
redacted
--tenant-id
redacted
--login
devicecode
command: kubelogin

env: null
provideClusterInfo: false

How to execute "kubelogin get-token" to get bearer token for AKS cluster resources like namespaces , nodes and etc.

My ask is how to get AKS cluster bearer token using API call without using kubelogin command

Thanks in advance.

Regards,
Veeru

Accepted answer

1 additional answer

Your answer

Answer 1

@Veeru Chinta

Thanks for your patience on this.

Wanted to share below details to clear with AKS’s authentication concepts, which is also described here.

Ref:
list-cluster-user-credentials
list-cluster-admin-credentials
clientcert
static token

Below are the responses for your queries.

Is there any HTTP API that tells about Which model was used for AKS cluster authentication?
The managed-clusters/get call (az aks show) shows whether AAD based authentication is enabled.

Is there any common approach (Which works for all types of AKS clusters wither used AAD / K8s Service accounts)?
Service accounts always works. It however requires in-cluster operation to generate the service account and credentials prior to usage.
Admin token also works, note however that admin account can be blocked via disable local accounts. Admin accounts has its own problem, namely: 1) the permission is too broad for automation and can easily be abused; 2) Difficult to rotate on security breach.
I shared this in my previous response to extract both admin tokens and service account tokens.

Is /oauth2/token API call access token can be used as a bearer token for K8s resources API calls?
To which identity provider? If the provider is AAD, then yes. See the deprecated azure auth code in go-client (used in kubectl) that “Authorization: Bearer {token}” is used even for Azure authentication when talking with kubernetes.

Hope this helps.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

Answer 2

vipullag-MSFT 26,492 Moderator

@Veeru Chinta

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Tokens are stored on the local machine and not fetched using API calls for authenticating to APIServer.

From kube-login, “AAD token will be cached locally for renewal in device code login and user principal login (ropc) flow. By default, it is saved in ~/.kube/cache/kubelogin/”.
“Uses an access token from Azure CLI to log in.”

Also, you can use below az cli to fetch the AAD user access token.

az account get-access-token

Hope this helps.
If you need further help on this, tag me in a comment.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

Veeru Chinta 21 Reputation points

2022-11-24T11:13:45.22+00:00
@vipullag-MSFT thanks for your reply

Is any API available to get a bearer Token for AKS clusters That bearer token can use to make Kubernetes API calls like namespaces, services etc. This means without using the Azure CLI/ Kubelogin commands.

Previously, Used Managed Clusters - List Cluster User Credentials API call to get User credentials instead of using az aks get-credentials and Used base64docde to retrieve the token from the API response.

Example response after base64rdecode:

---------------------------------

apiVersion: v1
clusters:

cluster:
certificate-authority-data: Redacted
server: https://aksserver.hcp.eastus.azmk8s.io:443
name: aks-cluster
contexts:

context:
cluster: aks-cluster
user: clusterUser_re_group_aks-cluster
name: aks-cluster
current-context: aks-cluster
kind: Config
preferences: {}
users:

name: clusterUser_re_group_aks-cluster
user:
client-certificate-data: Redacted
token: TokenRedacted

----------------------

But, In AKS version 1.24.6, I am seeing kubelogin command. Hence, I need to install kubelogin tool on the machine where trying to make Kubernetes API calls and need to configure kubelogin with Azure account credentials.

I am not able to find the approach to get the Bearer token for Kubernetes API calls using Rest API calls.

Thanks,
Veeru
vipullag-MSFT 26,492 Reputation points Moderator

2022-11-25T05:50:33.597+00:00

@Veeru Chinta

Adding little more details for you ask.

The config using exec is supported in several official client libraries for kubernetes, such as the client-go and python library. So you should be able to use the kubeconfig directly in many scenarios, as long as the client library supports, and the kubelogin binary is installed.

For ad-hoc http clients and k8s clients that doesn’t support exec auth extensions, the token can be acquired programmatically with AAD client libraries, such as MSAL or ADAL.

Otherwise if you do not need to use AAD authentication, service account access also works.
Veeru Chinta 21 Reputation points

2022-11-28T05:38:11.653+00:00

Thanks @vipullag-MSFT

Yes, I am using an HTTP client to access K8s resources. Will try the suggested approaches (AAD client libraries, such as MSAL or ADAL).

For AKS clusters authentication/ authorization using hybrid models. It means some of the AKS clusters are using (AAD authentication+Azure RBAC + K8s RBAC) and others using the Kubernetes Service accounts approach.

Is there any HTTP API that tells about Which model was used for AKS cluster authentication? Is there any common approach (Which works for all types of AKS clusters wither used AAD / K8s Service accounts)?

Is /oauth2/token API call access token can be used as a bearer token for K8s resources API calls?

Regards,
Veeru
vipullag-MSFT 26,492 Reputation points Moderator

2022-11-29T06:09:12.93+00:00
@Veeru Chinta

I checked with internal team on this and sharing the info that I got from the team.

Use the token in ~/.kube/config file

For more fine-grained access

List the tokens for different authorization
Command :

kubectl get secrets -n kube-system -o name

Sample Output:
secret/attachdetach-controller-token-xqzxm
secret/azure-cloud-provider-token-lczkb
secret/bootstrap-signer-token-q977t
secret/bootstrap-token-z8hboh
secret/certificate-controller-token-d5gkh
secret/cloud-node-manager-token-5hx9c
secret/clusterrole-aggregation-controller-token-v6p5w
secret/coredns-autoscaler-token-zl8rg
secret/coredns-token-kjm4t

Get the token, let’s say you want to use secret/coredns-token-kjm4t for coredns manipulation Command:

TOKEN=$(kubectl -n kube-system get $(kubectl get secret -n kube-system -o name | grep coredns-token-kjm4t) -o jsonpath='{.data.token}' | base64 -d)

Then you can use RestAPI freely with this token.

Hope this helps.

Share via

How get bearer token for AKS cluster version 1.24.6

1 additional answer

Your answer