Reputation: 52
What authorization is needed to upgrade an AKS cluster?
I am trying to update my Azure Kubernetes Service (AKS) cluster with the following command:
az aks upgrade \
--resource-group myResourceGroup \
--name myAKSCluster \
--kubernetes-version KUBERNETES_VERSION
This results in the following response:
(AuthorizationFailed) The client '>email<' with object id '>object id<' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/>id</resourceGroups/>resourcegroup-name</providers/Microsoft.ContainerService/managedClusters/>cluster-name<' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed
When I go to resourcegroup/Access Control(IAM), I find these roles assigned to me when I click on "view my access"
These are:
Azure Kubernetes Service Cluster Admin Role
List cluster admin credential action.
--
Azure Kubernetes Service RBAC Cluster Admin
Lets you manage all resources in the cluster.
--
Reader
View all resources, but does not allow you to make any changes.
--
Storage Account Contributor
Lets you manage storage accounts, including accessing storage account keys which prov...
I would expect that having the role "Azure Kubernetes Service RBAC Cluster Admin" that says: "Lets you manage all resources in the cluster." would authorize me to upgrade the cluster to a new version.
I run into the same problem when trying to create a static IP-adress via the Microsoft documentation
Upvotes: 0
Views: 585
Answers (1)
Reputation: 5570
Created Kubernetes cluster with 1.24 version when I run the same command got the same error:
az aks upgrade \
--resource-group myResourceGroup \
--name myAKSCluster \
--kubernetes-version KUBERNETES_VERSION
](https://i.sstatic.net/iMMMg.png)
To resolve this issue, make sure to add Contributor role to the user in subscription level.
Now when I run the below command got result successfully:
az aks upgrade --resource-group <RGName> --name <myAKSCluster> --kubernetes-version 1.25
agentPoolProfiles": [
{
"availabilityZones": [
"1",
"2",
"3"
],
"count": 1,
"creationData": null,
"currentOrchestratorVersion": "1.25.6",
"enableAutoScaling": true,
"enableEncryptionAtHost": null,
"enableFips": false,
"enableNodePublicIp": false,
"enableUltraSsd": null,
"gpuInstanceProfile": null,
"hostGroupId": null,
"kubeletConfig": null,
"kubeletDiskType": "OS",
"linuxOsConfig": null,
In portal:
Upvotes: 2
Related Questions
- How to manage aks with terraform when AD enabled RBAC and local_account_disabled = true is set
- AKS w Azure RBAC - Flux-Applier cluster-admin ClusterRoleBinding apparently not working
- How to access an AWS s3 bucket from an AKS cluster
- Azure Kubernetes Error when running "az aks get-credentials" command
- Azure AKS Deployment with Azure RBAC Permissions problem
- Does Azure RBAC roles for AKS work as described in documentation?
- Terraform AKS Cluster Deployment Error: Unauthorized and Kubernetes provider unreachable
- Access issue to view the Kubernetes resources(namespaces, workloads, etc) from the azure portal
- Azure Lighthouse delegated subscription's resource AKS cluster access
- AKS Authorization Failure when creating LoadBalancer Service using account with Owner Role