AKS cluster identity permissions
The following permissions are used by the AKS cluster identity, which is created and associated with the AKS cluster. Each permission is used for the reasons below:
AKS CLUSTER IDENTITY PERMISSIONS
Microsoft.ContainerService/managedClusters/*
You can use Azure role-based access control (Azure RBAC) to control access to these credentials. These Azure roles let you define who can retrieve the kubeconfig file, and what permissions they then have within the cluster.
The two built-in roles are:
Azure Kubernetes Service Cluster Admin Role
- Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call.
This API call lists the cluster admin credentials. - Downloads kubeconfig for the clusterAdmin role.
Azure Kubernetes Service Cluster User Role - Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call.
This API call lists the cluster user credentials. - Downloads kubeconfig for clusterUser role.
List Cluster User Credentials using REST API
https://learn.microsoft.com/en-us/azure/aks/concepts-identity#aks-cluster-identity-permissions
To Register providers required to use Microsoft.Kubernetes
az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration
If the Answer is helpful, please click Accept Answer
and up-vote, so that it can help others in the community looking for help on similar topics.