How to fix access denied error for aks kubernetes commands?

Uday Kiran Reddy (ureddy) 86 Reputation points
2023-10-17T11:02:15.6533333+00:00

with service principal logged in with azure cli. Below command got this error.

az aks command invoke --resource-group rg-licanltcs-aks-prod --name aks-licanltcs-prod-eastus --command "kubectl create namespace testing"

Error from server (Forbidden): namespaces "testing" is forbidden: User "db6023d1-75df-444d-ac2a-10c16a090fcc" cannot delete resource "namespaces" in API group "" in the namespace "testing"

Azure Kubernetes Service RBAC Cluster Admin access is already provided to it.

User's image

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,893 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 18,637 Reputation points Microsoft Employee
    2023-10-24T22:53:04.17+00:00

    @Uday Kiran Reddy (ureddy)
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: With service principal logged in with azure cli, below command got this error:

    az aks command invoke --resource-group rg-licanltcs-aks-prod --name aks-licanltcs-prod-eastus --command "kubectl create namespace testing"
    

    Error from server (Forbidden): namespaces "testing" is forbidden: User "db6023d1-75df-444d-ac2a-10c16a090fcc" cannot delete resource "namespaces" in API group "" in the namespace "testing"

    Solution: It got fixed once we create a group with access to it while creating cluster.

    resource aks 'Microsoft.ContainerService/managedClusters@2021-08-01' = {
      name: 'aks-${prefix}-${environmentType}-${location}'
      location: location
      identity: {
        type: 'UserAssigned'
        userAssignedIdentities: {
          '${aksIdentityId}' : {}
        }
      }
      sku: {
        name: 'Basic'
        tier: aksSkuTier
      }
      properties: {
        dnsPrefix: 'aks-${prefix}-${environmentType}'
        enableRBAC: true
        aadProfile: {
          managed: true
          adminGroupObjectIDs: [
            adminGroupObjectId
          ]
        }
       ........
    

    If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

    0 comments No comments