Using managed identity with AKS

Question

Using managed identity with AKS

Saraf, Romil 1

I'm trying to connect from a pod (hosts an app) in one AKS cluster (cluster-A) to another AKS (cluster-B) cluster. I need to be able to manage pods, deployments in cluster-B from the app in cluster-A. I use managed identity to login and then set the credentials of cluster-B. The identity has cluster admin role in cluster-B, but when I try any kubectl from the app it, I get authorization error.

ERROR: (AuthorizationFailed) The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/listClusterUserCredential/action' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

Code: AuthorizationFailed

Anveshreddy Nimmala 3,550 Reputation points Microsoft External Staff Moderator

2023-12-27T04:12:42.9866667+00:00

Hi Saraf, Romil,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Anveshreddy Nimmala 3,550 Reputation points Microsoft External Staff Moderator

2023-12-27T04:12:42.9866667+00:00

Hi Saraf, Romil,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi Saraf, Romil,

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

The managed identity you are using to authenticate with cluster-B does not have the required permissions to perform the action you are trying to execute.

You mentioned that the identity has cluster admin role in cluster-B, which should be sufficient to perform the required actions.

To manage pods and deployments in cluster-B from cluster-A, you need to ensure that the managed identity has the necessary permissions in cluster-B.

The error message suggests that the identity does not have the required permissions to perform the 'listClusterUserCredential' action.

To resolve this issue, you can try the following steps:

1.Check if the managed identity has the required permissions to perform the 'listClusterUserCredential' action in cluster-B.

az role assignment list --all --assignee <managed-identity-object-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster-B-name>

2.If the managed identity does not have the required permission, you can add using this command in the Azure Cloud Shell or Azure CLI.

az role assignment create --role "Managed Cluster Operator" --assignee <managed-identity-object-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster-B-name>

Hope this helps you.

Share via

Using managed identity with AKS

1 answer

Your answer