Reputation: 705
Authorization error while trying to issue DNS certificate with Azure DNS and cert manager
I was trying to use AzureDNS to generate a DNS certificate for my domain via cert-bot, I followed https://cert-manager.io/docs/configuration/acme/dns01/azuredns//#managed-identity-using-aad-pod-identity
I added the managed identity, the federation credential and verified that the managed identity has the DNS contributor role for the required DNS zone from the azure portal, the challenge still throws an error saying that the client does not have the required permissions to add a TXT record:
Status=403 Code="AuthorizationFailed" Message="The client '<principal_id>' with object id '<principal_id>' does not have authorization to perform action 'Microsoft.Network/dnsZones/TXT/write' over scope '/subscriptions/<sub_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/dnsZones/<dns_zone>/TXT/_acme-challenge' or the scope is invalid. If access was recently granted, please refresh your credentials.
How can we refresh the credentials ? I have tried re creating the issuer, the challenge etc, by deleting them using kubectl
Edit: Added more details
PS: I did assign the required roal and added a federated credential pointing to the service account and namespace used by cert-manager.
Upvotes: 3
Views: 1214
Answers (1)
Reputation: 954
As the error clearly stated, this issue was caused by the "access issue."
"The client 'principal_id>' with object id 'principal_id>' does not have authorization to perform action 'Microsoft.Network/dnsZones/TXT/write'."
We can verify whether a respective role was properly assigned or not on the portal.
Step1: Goto Subscription -> Access Control (IAM) -> RoleAssignments -> Search with id. Step2: See respective role"DNS contributor" was assigned or not. If not please assign and retry once.
refer this via cli. and Authorization Failed tutorials for more details.
How can we refresh the credentials ? Typically, refreshing means we can relog into the Azure portal using the same credentials we used previously on the same CLI.
az login
Please do couple of validations once:
Verify application workloads deployed to the new cluster and interact with it just as you've done with service-principal-based AKS
az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identityverify the Principal ID of control plane identity
az identity show --ids
refer this tutorial
Upvotes: 1
Related Questions
- Using icons instead of PNG in Xamarin Forms Tabs
- Xamarin forms TabbedPage icons are tiny
- Xamarin Forms Shell TabBar Rounded Corner
- NavigationPage.Icon, adding tab icon for android xamarin.forms
- Icon is shown in FlyoutItem but not in Tabbar on Bottom
- Xamarin Forms - Android tab bar with centered icons & no text
- Xamarin forms Shell Custom icon for selected tab
- Set Navigation Bar Title and Icon in code
- Tab icons in a Xamarin.Forms UWP TabbedPage?
- Can one use system icons on tabs in Xamarin Forms?