Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS)

You can interact with Kubernetes clusters using the kubectl tool. The Azure CLI provides an easy way to get the access credentials and configuration information to connect to your AKS clusters using kubectl. To limit who can get that Kubernetes configuration (kubeconfig) information and to limit the permissions they then have, you can use Azure role-based access control (Azure RBAC).

This article shows you how to assign Azure roles that limit who can get the configuration information for an AKS cluster.

Before you begin

This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart using the Azure CLI, using Azure PowerShell, or using the Azure portal.

This article also requires that you are running the Azure CLI version 2.0.65 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.

Available cluster roles permissions

When you interact with an AKS cluster using the kubectl tool, a configuration file is used that defines cluster connection information. This configuration file is typically stored in ~/.kube/config. Multiple clusters can be defined in this kubeconfig file. You switch between clusters using the kubectl config use-context command.

The az aks get-credentials command lets you get the access credentials for an AKS cluster and merges them into the kubeconfig file. You can use Azure role-based access control (Azure RBAC) to control access to these credentials. These Azure roles let you define who can retrieve the kubeconfig file, and what permissions they then have within the cluster.

The two built-in roles are:

  • Azure Kubernetes Service Cluster Admin Role
    • Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call. This API call lists the cluster admin credentials.
    • Downloads kubeconfig for the clusterAdmin role.
  • Azure Kubernetes Service Cluster User Role
    • Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call. This API call lists the cluster user credentials.
    • Downloads kubeconfig for clusterUser role.

These Azure roles can be applied to an Azure Active Directory (AD) user or group.

Note

On clusters that use Azure AD, users with the clusterUser role have an empty kubeconfig file that prompts a log in. Once logged in, users have access based on their Azure AD user or group settings. Users with the clusterAdmin role have admin access.

On clusters that do not use Azure AD, the clusterUser role has same effect of clusterAdmin role.

Assign role permissions to a user or group

To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group. The following example commands:

  • Get the cluster resource ID using the az aks show command for the cluster named myAKSCluster in the myResourceGroup resource group. Provide your own cluster and resource group name as needed.
  • Use the az account show and az ad user show commands to get your user ID.
  • Finally, assign a role using the az role assignment create command.

The following example assigns the Azure Kubernetes Service Cluster Admin Role to an individual user account:

# Get the resource ID of your AKS cluster
AKS_CLUSTER=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query id -o tsv)

# Get the account credentials for the logged in user
ACCOUNT_UPN=$(az account show --query user.name -o tsv)
ACCOUNT_ID=$(az ad user show --id $ACCOUNT_UPN --query objectId -o tsv)

# Assign the 'Cluster Admin' role to the user
az role assignment create \
    --assignee $ACCOUNT_ID \
    --scope $AKS_CLUSTER \
    --role "Azure Kubernetes Service Cluster Admin Role"

Important

In some cases, the user.name in the account is different than the userPrincipalName, such as with Azure AD guest users:

$ az account show --query user.name -o tsv
user@contoso.com
$ az ad user list --query "[?contains(otherMails,'user@contoso.com')].{UPN:userPrincipalName}" -o tsv
user_contoso.com#EXT#@contoso.onmicrosoft.com

In this case, set the value of ACCOUNT_UPN to the userPrincipalName from the Azure AD user. For example, if your account user.name is user@contoso.com:

ACCOUNT_UPN=$(az ad user list --query "[?contains(otherMails,'user@contoso.com')].{UPN:userPrincipalName}" -o tsv)

Tip

If you want to assign permissions to an Azure AD group, update the --assignee parameter shown in the previous example with the object ID for the group rather than a user. To obtain the object ID for a group, use the az ad group show command. The following example gets the object ID for the Azure AD group named appdev: az ad group show --group appdev --query objectId -o tsv

You can change the previous assignment to the Cluster User Role as needed.

The following example output shows the role assignment has been successfully created:

{
  "canDelegate": null,
  "id": "/subscriptions/<guid>/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster/providers/Microsoft.Authorization/roleAssignments/b2712174-5a41-4ecb-82c5-12b8ad43d4fb",
  "name": "b2712174-5a41-4ecb-82c5-12b8ad43d4fb",
  "principalId": "946016dd-9362-4183-b17d-4c416d1f8f61",
  "resourceGroup": "myResourceGroup",
  "roleDefinitionId": "/subscriptions/<guid>/providers/Microsoft.Authorization/roleDefinitions/0ab01a8-8aac-4efd-b8c2-3ee1fb270be8",
  "scope": "/subscriptions/<guid>/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster",
  "type": "Microsoft.Authorization/roleAssignments"
}

Get and verify the configuration information

With Azure roles assigned, use the az aks get-credentials command to get the kubeconfig definition for your AKS cluster. The following example gets the --admin credentials, which work correctly if the user has been granted the Cluster Admin Role:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

You can then use the kubectl config view command to verify that the context for the cluster shows that the admin configuration information has been applied:

$ kubectl config view

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://myaksclust-myresourcegroup-19da35-4839be06.hcp.eastus.azmk8s.io:443
  name: myAKSCluster
contexts:
- context:
    cluster: myAKSCluster
    user: clusterAdmin_myResourceGroup_myAKSCluster
  name: myAKSCluster-admin
current-context: myAKSCluster-admin
kind: Config
preferences: {}
users:
- name: clusterAdmin_myResourceGroup_myAKSCluster
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: e9f2f819a4496538b02cefff94e61d35

Remove role permissions

To remove role assignments, use the az role assignment delete command. Specify the account ID and cluster resource ID, as obtained in the previous commands. If you assigned the role to a group rather than a user, specify the appropriate group object ID rather than account object ID for the --assignee parameter:

az role assignment delete --assignee $ACCOUNT_ID --scope $AKS_CLUSTER

Next steps

For enhanced security on access to AKS clusters, integrate Azure Active Directory authentication.