HELP AKS user over scope when getting AKS credentials

Question

HELP AKS user over scope when getting AKS credentials

Goncalo 20

I am running a GitHub Actions workflow, one of the steps is login, which does login successfully but then when getting credentials I get this error:

Error: ***"error":***"code":"AuthorizationFailed","message":"The client ‘<ID>’ with object id '<ID>' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action' over scope '/subscriptions/***/resourceGroups/***/providers/Microsoft.ContainerService/managedClusters/***/accessProfiles/clusterAdmin' or the scope is invalid. If access was recently granted, please refresh your credentials."***

The command it was running:

az aks get-credentials --resource-group <resource group> --name <cluster name>

I created the above user like this:

az ad sp create-for-rbac --name "githubactionsazure" --role owner --scopes /subscriptions/<my subscription>/resourceGroups/<the resource group> --sdk-auth

This returned credentials in json that I added as AZURE_CREDENTIALS secret to my repository. Since it logins successfully but does not get the credentials I tried giving it the permission it needs like this:

az role assignment create --assignee <clientId> --role "Azure Kubernetes Service Cluster Admin Role" --scope /subscriptions/<my subscription>/resourceGroups/<resource group>/providers/Microsoft.ContainerService/managedClusters/<cluster name>

None of this resolves the scope error I have. Can anyone help me with this?

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-11-08T23:44:15.0033333+00:00

@Goncalo

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Accepted answer

0 additional answers

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-11-08T23:44:15.0033333+00:00

@Goncalo

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

@Goncalo

The error message you are seeing indicates that the client with the specified object ID does not have the required permissions to perform the specified action on the specified scope in Azure Container Service.

To resolve this issue, verify that you have the required permissions to perform the specified action on the specified scope. You can check your permissions in the Access control (IAM) section of your subscription or management group in the Azure portal.

Let me know in the comments if you have further questions. Comment is the fastest way to reach the experts for any questions or help you need.

Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members for remediation for similar issues.

Share via

HELP AKS user over scope when getting AKS credentials

0 additional answers

Your answer