How get bearer token for AKS cluster version 1.24.6

Veeru Chinta 21 Reputation points
2022-11-23T12:16:59.377+00:00

Hi,

I have created an AKS cluster using version - 1.24.6

Ran AZ cloud shell command "az aks get-credentials" command to get credentials for AKS cluster - I refered this doc - https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials

It generated a "config" file in the location - ~/.kube/.
conifg file does not contain token. But, it has command kubelogin


apiVersion: v1
clusters:

  • cluster:
    certificate-authority-data: Redacted string
    server: https://serverredacted.hcp.westus2.azmk8s.io:443
    name: AKSCluster
    contexts:
  • context:
    cluster: AKSCluster
    user: clusterUser_AKSGroup_AKSCluster
    name: AKSCluster
    current-context: AKSCluster
    kind: Config
    preferences: {}
    users:
  • name: clusterUser_AKSGroup_AKSCluster
    user:
    exec:
    apiVersion: client.authentication.k8s.io/v1beta1
    args:
  • get-token
  • --environment
  • AzurePublicCloud
  • --server-id
  • redacted
  • --client-id
  • redacted
  • --tenant-id
  • redacted
  • --login
  • devicecode
    command: kubelogin

env: null
provideClusterInfo: false


How to execute "kubelogin get-token" to get bearer token for AKS cluster resources like namespaces , nodes and etc.

My ask is how to get AKS cluster bearer token using API call without using kubelogin command

Thanks in advance.

Regards,
Veeru

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,458 questions
0 comments No comments
{count} votes

Accepted answer
  1. vipullag-MSFT 26,492 Reputation points Moderator
    2022-11-29T10:52:28.547+00:00

    @Veeru Chinta

    Thanks for your patience on this.

    Wanted to share below details to clear with AKS’s authentication concepts, which is also described here.

    265241-image.png

    Ref:
    list-cluster-user-credentials
    list-cluster-admin-credentials
    clientcert
    static token

    Below are the responses for your queries.

    Is there any HTTP API that tells about Which model was used for AKS cluster authentication?
    The managed-clusters/get call (az aks show) shows whether AAD based authentication is enabled.

    Is there any common approach (Which works for all types of AKS clusters wither used AAD / K8s Service accounts)?
    Service accounts always works. It however requires in-cluster operation to generate the service account and credentials prior to usage.
    Admin token also works, note however that admin account can be blocked via disable local accounts. Admin accounts has its own problem, namely: 1) the permission is too broad for automation and can easily be abused; 2) Difficult to rotate on security breach.
    I shared this in my previous response to extract both admin tokens and service account tokens.

    Is /oauth2/token API call access token can be used as a bearer token for K8s resources API calls?
    To which identity provider? If the provider is AAD, then yes. See the deprecated azure auth code in go-client (used in kubectl) that “Authorization: Bearer {token}” is used even for Azure authentication when talking with kubernetes.

    Hope this helps.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. vipullag-MSFT 26,492 Reputation points Moderator
    2022-11-24T08:57:11.547+00:00

    @Veeru Chinta

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Tokens are stored on the local machine and not fetched using API calls for authenticating to APIServer.

    From kube-login, “AAD token will be cached locally for renewal in device code login and user principal login (ropc) flow. By default, it is saved in ~/.kube/cache/kubelogin/”.
    “Uses an access token from Azure CLI to log in.”

    Also, you can use below az cli to fetch the AAD user access token.

    az account get-access-token

    Hope this helps.
    If you need further help on this, tag me in a comment.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.