AKS Upgrade Failing via powershell when local accounts is disabled and user upgrading has role of Azure Kubernetes Service RBAC Cluster Admin

Question

When attempting to upgrade the AKS cluster via Powershell, I seem to be getting failures when the upgrade call is sent to Azure. The user running the upgrade has the role Azure Kubernetes Service RBAC Cluster Admin, and no errors are prompted in Powershell, the cmdlets just returns, but there are errors in the Activity Log on the AKS.

Powershell Cmdlets for upgrading

$aksCluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $aksClusterName 
$aksUpgrade = $aksCluster | Set-AzAksCluster -KubernetesVersion $version -AsJob

Errors seen in Activity Log

Identity operation for resource

Create or Update Managed Cluster

'/subscriptions/<sub_id>/resourceGroups/rg001/providers/Microsoft.ContainerService/managedClusters/aks04001' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"The request format was unexpected, a non-UserAssigned identity type should not contain: userAssignedIdentities"}}'.'.

I am not sure what i need to pass in the Set-AzAksCluster -KubernetesVersion $version for it to pick up the AKS admin user. When i log in to the portal, the upgrade works fine, but for automation purposes it would be easier to do this via powershell.

Answer 1

As I said in comment, this is likely due to the mismatch between the AKS cluster's identity type.

First, confirm whether your AKS cluster is using SystemAssigned, UserAssigned, or None. Also, the Azure Kubernetes Service RBAC Cluster Admin role should be assigned to the user performing the upgrade.

You can do this either using your object ID or user principal name. I will use object id

az role assignment create --assignee 12345-6789-abcd-efg-hijklmonop\
    --role "Azure Kubernetes Service RBAC Cluster Admin" \
    --scope /subscriptions/12345-6789-abcd-efgh-ijklmnop/resourceGroups/arkorg/providers/Microsoft.ContainerService/managedClusters/myAKSCluster

once assigned, verify the same-

az role assignment list --assignee 12345-6789-abcd-efg-hijklmonop

Looks good, re-login to your aks

az aks get-credentials --resource-group arkorg --name myAKSCluster

Now that you have the necessary role assigned, you should be able to perform operations on the AKS cluster, including upgrades.

check what all available versions you have

To upgrade your AKS cluster

az aks upgrade --resource-group arkorg --name myAKSCluster --kubernetes-version <target-kubernetes-version> --no-wait

You can monitor the upgrade

az aks show --resource-group arkorg --name myAKSCluster --query "provisioningState"

Once done, the status should change as the upgrade proceeds, from Upgrading to Succeeded.

if instead of azure cli you are using powershell then update your commands as below-

Check role assignment for the AKS cluster

Get-AzRoleAssignment -ObjectId $objectId | Format-Table

Should be contributor or owner / Azure Kubernetes Service RBAC Cluster Admin

If the role is missing then assign the same-

New-AzRoleAssignment -ObjectId $objectId `
    -RoleDefinitionName "Azure Kubernetes Service RBAC Cluster Admin" `
    -Scope "/subscriptions/12345-6789-abcd-efgh-ijklmnop/resourceGroups/arkorg/providers/Microsoft.ContainerService/managedClusters/myAKSCluster"

Assign Contributor Role if missing

New-AzRoleAssignment -ObjectId $objectId `
    -RoleDefinitionName "Contributor" `
    -Scope "/subscriptions/12345-6789-abcd-efgh-ijklmnop/resourceGroups/arkorg"

$resourceGroupName = "arkorg"
PS /home/arko> $aksClusterName = "myAKSCluster"
PS /home/arko> Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $aksClusterName

Once done, re login fresh to your cluster

reference- Upgrade aks cluster