User can't get cluster resources

This article describes how to fix issues that occur when you can't get the details of a resource in an Azure Kubernetes Service (AKS) cluster.

Prerequisites

• The Kubernetes cluster command-line tool (kubectl).

Note

If you use Azure Cloud Shell to run shell commands, kubectl is already installed. If you use a local shell and already have Azure CLI installed, you can alternatively install kubectl by running the az aks install-cli command.

Symptoms

If you run kubectl to get the details of an AKS cluster node, you might see the following error message:

$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "aaaa11111-11aa-aa11-a1a1-111111aaaaa" cannot list resource "nodes" in API group "" at the cluster scope

Cause 1: Incorrect role and role binding permissions

When you enable role-based access control (RBAC) for your AKS cluster, you control the permissions for a User through Role and RoleBinding (or ClusterRole and ClusterRoleBinding) settings. If a User hasn't defined the correct permissions, the User sees errors when it tries to get the details of a resource in the cluster.

Solution: Set the correct roles and role bindings

Make sure you set the correct Role and RoleBinding for the User. For detailed examples, see Use Kubernetes RBAC with Microsoft Entra integration.

Cause 2: Incorrect access assignments within a security group

If AKS manages integration with Microsoft Entra ID, the user might not have the correct assignment for the security group.

Solution: Have the security group admin assign the correct access level

Make sure the security group's administrator has given your account an Active or Conditional Access assignment. See AKS-managed Microsoft Entra integration. This article has instructions for setting either Active assignment or Conditional Access assignment.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.