Reputation: 1200
Azure Kubernetes Error when running "az aks get-credentials" command
Azure Admins created a cluster for us.
On VM I installed "az cli" and "kubectl".
With my account from Azure Portal I can see that Kubernetes Service and Resource Group to which it belongs.
From the level of that cluster in Azure Portal I can see that I have a role:
"AKS Cluster Admin Operator"
I am logged on VM with kubectl with my account. I need to config my kubectl to work with our cluster. When I try to execute:
az aks get-credentials --resource-group FRONT-AKS-NA2 --name front-aks
I am getting error:
ForbiddenError: The client 'my_name@my_comp.COM' with object id '4ea46ad637c6' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/listClusterUserCredential/action' over scope '/subscriptions/89e05d73-8862-4007-a700-0f895fc0f7ea/resourceGroups/FRONT-AKS-NA2/providers/Microsoft.ContainerService/managedClusters/front-aks' or the scope is invalid. If access was recently granted, please refresh your credentials.
Upvotes: 4
Views: 45928
Answers (3)
Reputation: 179119
For anyone else hitting this problem, check if your organization uses PIM (Microsoft Entra ID Privileged Identity Management). If that's the case, then you'll first have to activate your assignments via:
PIM -> Tasks -> My Roles -> Azure Resources -> Activate button(s) (one per subscription)
That's a path through the Azure Portal UI buttons. I don't have any scriptable solution so far.
Upvotes: 0
Reputation: 15208
In my case to refresh recently granted credentials helped this one:
az account set --subscription "your current subscription name"
It leds to re-login and fix the issue.
Upvotes: 15
Reputation: 31414
Well, I see the comment, and you already get the solution. So I just can explain the difference to you. Hope it will help you!
When you use the command az aks get-credentials without parameter --admin, it means the CLI command uses the default value: Cluster user. And when you use the cluster user, it just works if you integrate AKS with the AAD. But you said you just have the AKS Cluster Admin Operator role, so the appropriate parameter is --admin. You can get more details here.
And on my side, it's a little dangerous. If the AKS cluster is just for the test, there is no problem. But if it's for production, I recommend you integrate with the AAD, and then give the appropriate permissions to the user. Because the admin user means you have all the permissions, you know, it's not safe.
Upvotes: 6
Related Questions
- Azure AKS - This container service is in a failed state
- Errors when trying to connect to kubernetes
- Kubernetes pod throwing CredentialUnavailableException: EnvironmentCredential authentication unavailable
- Azure Kubernetes Error when running "az aks get-credentials --resource-group AKSResourceGroupName --name AKSClusterName" command
- AKS Pod fail to access Azure Key Vault
- How to obtain Azure credentials using kubectl?
- Kubernetes client python API error 401 - Unauthorized
- Cannot create AKS in azure with command "az aks create"
- Azure - az aks cli azure ad error
- Azure AKS - Error creating load balancer