CODEWITHSUNDEEP
azureazure-aksazure-rm-templateazure-managed-identity
Franco Tiveron
Franco Tiveron

Reputation: 2886

Unable to create Azure AKS Container Service with Managed Identity using ARM template

I am trying to create an instance of AKS Container Service with managed identity using an ARM template. No problems if I use the az CLI:

az aks create -g "sa-rg" -n "aks-cluster" --enable-managed-identity

However I cannot obtain the same result using an ARM template.

Let's consider the following base ARM template

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "outputs": {},
  "parameters": {},
  "resources": [
    {
      "apiVersion": "2021-03-01",
      "dependsOn": [],
      "location": "australiaeast",
      "name": "aks-cluster",
      "properties": {
        "agentPoolProfiles": [
          {
            "name": "agentpool",
            "count": 1,
            "vmSize": "Standard_DS2_v2",
            "osType": "Linux",
            "osDiskSizeGB": 128,
            "`": null,
            "osDiskType": "Managed",
            "maxPods": 110,
            "type": "VirtualMachineScaleSets",
            "mode": "System"
          }
        ],
        "dnsPrefix": "aks-cluster-dns",
        "servicePrincipalProfile": {
          "clientId": "msi",
          "secret": null
        },
        "identity": {
          "type": "SystemAssigned"
        },
        "enableRBAC": true
      },
      "type": "Microsoft.ContainerService/managedClusters"
    }
  ]
}

According to https://github.com/Azure/azure-cli/issues/12219#issuecomment-636143374, to create with managed identity (MSI), only the "identity" object should be needed, not "servicePrincipalProfile". But, if I do so, I get the following exception:

ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '5a6c6444-c74b-4709-888e-bef816d05ca9'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "Required parameter servicePrincipalProfile is missing (null).",\n "target": "servicePrincipalProfile"\n }. Details: "}]}}

However, if I insert "servicePrincipalProfile" (as shown above), I get:

ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '536bca0b-33b8-45f8-8407-edba873d3657'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.",\n "target": "servicePrincipalProfile.secret"\n }. Details: "}]}}

I have tried

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": null
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": ""
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": "dummy"
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
        },
        "identity": {
          "type": "SystemAssigned"
        },

and again the same 4 removing "identity", but I always get the The value of parameter servicePrincipalProfile.secret is invalid

What is the right ARM template to create the Container Service?

Upvotes: 1

Views: 2145

Answers (3)

VivekDev
VivekDev

Reputation: 25349

I was deploying AKS using a template, and the template look like this.

{
  "name": "[parameters('Your-aks-name')]",
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2021-07-01",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "Basic",
    "tier": "Free"
  },
  "properties": {
    "kubernetesVersion": "1.20.7",
    "addonProfiles": { ..... },
    "enableRBAC": "[parameters('aks_enableRBAC')]",
    "dnsPrefix": "[variables('aks-dns-prefix')]",
    "agentPoolProfiles": [
      { .... }
    ],
    "servicePrincipalProfile": {
      "ClientId": "[parameters('servicePrincipalClientId')]",
      "Secret": "[parameters('servicePrincipalClientSecret')]"
    },
  }
}

So as you can see there, ClientId and Secret are needed.

And when I run, I get the following errors.

The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.

So I solved it as follows.

First create a service principle. Its given here in detail.

az ad sp create-for-rbac --skip-assignment --name vivek-globoticket-askcluster-sp

Note the app Id and password.

az ad sp show --id 67def144-ded3-4fe9-a2f1-cdec6689cd2e # use your app id here.

Also, once you create, you can see them in the azure portal as follows. Search and go into Azure Active Directory blade. Click on App Registrations and then All Applications or Owned Applications.

Azure Active Directory Searching in Azure Portal

App Registrations in Azure Active Directory

If you forgot to note down the password, then you have to delete the sp and then recreate it.

az ad sp delete --id a76ef144-dee3-4fe9-12f1-cdecn689cd2e # use your app id here.

So for servicePrincipalProfile in the Template do the this. For the client id, use AppId and for the secret, use the password.

Now try creating your aks and see what happens.

Upvotes: 0

Thomas
Thomas

Reputation: 29482

Few things:

  • The identity property should be at the root of the resource,
  • You only need to specify clientId: "msi" in the servicePrincipalProfile property.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "outputs": {},
  "parameters": {},
  "resources": [
    {
      "apiVersion": "2021-03-01",
      "dependsOn": [],
      "location": "australiaeast",
      "name": "aks-cluster",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "agentPoolProfiles": [
          {
            "name": "agentpool",
            "count": 1,
            "vmSize": "Standard_DS2_v2",
            "osType": "Linux",
            "osDiskSizeGB": 128,
            "osDiskType": "Managed",
            "maxPods": 110,
            "type": "VirtualMachineScaleSets",
            "mode": "System"
          }
        ],
        "dnsPrefix": "aks-cluster-dns",
        "servicePrincipalProfile": {
          "clientId": "msi"
        },
        "enableRBAC": true
      },
      "type": "Microsoft.ContainerService/managedClusters"
    }
  ]
}

Upvotes: 2

Nick Graham
Nick Graham

Reputation: 1469

The servicePrincipalProfile is only used when you are provisioning a Service Principal outside of the ARM template and need to pass it's properties into the template. In my deployments I've set this to an empty object though it could potentially be omitted entirely as the documentation says it's not a required property.

        "servicePrincipalProfile": {},
        "identity": {
          "type": "SystemAssigned"
        },

Though it's not documented in my experience you can also omit the identity property and it will default to SystemAssigned.

Upvotes: 0

Related Questions