How to grant a Service Principal access to AKS API when RBAC and AAD integration are activated?
I need to grant a process (build pipeline) RBAC access to AKS API for deployment purposes. But the target AKS cluster has AAD integration active (as described here)
I was expecting to be able to access the AKS API's with a simple Service Principal, but I'm redirected to a devicelogin page:
$ az login --service-principal --username [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX --password [REDACTED]XXxxXXxxXXxxxXXXxxXXxxXXxx= --tenant [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX
$ az aks get-credentials -n oli-aksdemo01 -g oli-aksdemo01
Merged "oli-aksdemo01" as current context in /home/olivier/.kube/config
$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code C2NP77EGR to authenticate.
:-(
Is there a way to avoid the devicelogin page when authenticating a Service Principal on an AAD-integrated AKS cluster on Azure ?
Solution 1:
TL;DR : It is not possible, yet.
I asked the very same question to Azure support and here is their answer:
When the AKS cluster integrated with AAD it will require redirecting to the device login page when authenticating to access to the cluster.
Access cluster with Azure AD - https://docs.microsoft.com/en-us/azure/aks/aad-integration#access-cluster-with-azure-ad
Unfortunately this is currently by design and there is no other way to avoid this process at the moment but we would love to hear your voice.
Would you please provide your feedback through the links below so we may plan in the future.
https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks
Solution 2:
For anyone out there who still needs this.
I solved the same issue for my Jenkins pipeline. All you have to do is create a service principal with the cluster scope or subscription.
#login
az login --service-principal --username <app-key> --password <password> --tenant <tenant>
# Get the admin credentials for the kubeconfig context
az aks get-credentials --resource-group $resourcegroup --name $aksname --admin
#
kubectl get pods
you should be fine.