Reputation: 71
Why does using data source attributes in Kubernetes terraform provider for RBAC enabled AKS give unauthorized error?
I have a RBAC enabled AKS cluster and want to configure a Kubernetes provider in Terraform for this cluster. I want to read the cluster as a data resource and pass credentials to my provider. The Azure login during execution context is a member of an AD group that has been added as administrator group on the cluster.
Running below terraform script throws an unauthorized error when trying to create a namespace in the cluster.
main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.73.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "=2.4.1"
}
}
}
provider "azurerm" {
features {}
}
data "azurerm_kubernetes_cluster" "k8s" {
name = var.aks.name
resource_group_name = var.aks.rg_name
}
provider "kubernetes" {
host = data.azurerm_kubernetes_cluster.k8s.kube_config.0.host
client_certificate = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate)
client_key = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_config.0.client_key)
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate)
}
resource "kubernetes_namespace" "ns" {
metadata {
name = "test"
}
}
variables.tf
variable "aks" {
type = object({
rg_name = string
name = string
})
description = "AKS details"
}
Execution
scripts> terraform apply -auto-approve cem-ms-deploy/git/develop !+
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# kubernetes_namespace.ns will be created
+ resource "kubernetes_namespace" "ns" {
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "test"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
kubernetes_namespace.ns: Creating...
╷
│ Error: Unauthorized
│
│ with kubernetes_namespace.ns,
│ on stackoverflow.tf line 31, in resource "kubernetes_namespace" "ns":
│ 31: resource "kubernetes_namespace" "ns" {
│
╵
Upvotes: 0
Views: 1217
Answers (1)
Reputation: 71
The trace logs indicate that the kube_config object has empty value for several fields that are passed to the provider. Therefore, it causes the unauthorized error. The correct object to use here, with RBAC enabled AKS cluster, is the kube_admin_config. Updating the provider configuration to read credentials from kube_admin_config object fixed the issue.
Fixed Provider Config:
provider "kubernetes" {
host = data.azurerm_kubernetes_cluster.k8s.kube_admin_config.0.host
client_certificate = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_admin_config.0.client_certificate)
client_key = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_admin_config.0.client_key)
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.k8s.kube_admin_config.0.cluster_ca_certificate)
}
Upvotes: 2
Related Questions
- Running terraform apply gives Unauthorized for Kubernetes provider deploying k8s resources in Azure Cloud
- AKS RBAC - Rolebinding has no effect
- Terraform AKS in VNET An argument named "user_assigned_identity_id" is not expected here
- Granting RBAC roles in k8s cluster using terraform
- Azure Terraform: Inserting "certificate-authority" data into Kube context during cluster creation
- Terraform allow AKS to use ACR
- Add secret to freshly created Azure AKS using Terraform Kubernetes provider fails
- How to achieve the RBAC functionality in Azure kubernetes service?
- EKS Kubernetes user with RBAC seen as system:anonymous
- Enabling RBAC on Kubernetes on Azure