How to grant a Service Principal access to AKS API when RBAC and AAD integration are activated?

active-directory azure kubernetes rbac

I need to grant a process (build pipeline) RBAC access to AKS API for deployment purposes. But the target AKS cluster has AAD integration active (as described here)

I was expecting to be able to access the AKS API's with a simple Service Principal, but I'm redirected to a devicelogin page:

$ az login --service-principal  --username [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX --password [REDACTED]XXxxXXxxXXxxxXXXxxXXxxXXxx= --tenant [REDACTED]-XXXX-XXXX-XXXX-XXXXXXXXXXXX

$ az aks get-credentials -n oli-aksdemo01 -g oli-aksdemo01
Merged "oli-aksdemo01" as current context in /home/olivier/.kube/config

$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code C2NP77EGR to authenticate.

:-(

Is there a way to avoid the devicelogin page when authenticating a Service Principal on an AAD-integrated AKS cluster on Azure ?


Solution 1:

TL;DR : It is not possible, yet.
I asked the very same question to Azure support and here is their answer:

When the AKS cluster integrated with AAD it will require redirecting to the device login page when authenticating to access to the cluster.

Access cluster with Azure AD - https://docs.microsoft.com/en-us/azure/aks/aad-integration#access-cluster-with-azure-ad

Unfortunately this is currently by design and there is no other way to avoid this process at the moment but we would love to hear your voice.

Would you please provide your feedback through the links below so we may plan in the future.

https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks

Solution 2:

For anyone out there who still needs this.

I solved the same issue for my Jenkins pipeline. All you have to do is create a service principal with the cluster scope or subscription.

#login
az login --service-principal --username <app-key> --password <password> --tenant <tenant>

# Get the admin credentials for the kubeconfig context
az aks get-credentials --resource-group $resourcegroup --name $aksname --admin

#
kubectl get pods

you should be fine.

Related

Linux: What causes static ARP entries to flush on link down
Can I restore a Vzdump tar archive to an LXD/LXC container
mount.nfs: an incorrect mount option was specified
Running cron job manually and immediately with PHP
Preloading docker images with an ISO for redistribution
Any way to recover data from a corrupted RAID 6 array?
QLogic Fiber Card not working with HYVE-Zeus Server
How can I debug PAC (proxy auto config) on Windows 8.1 (IE11 and Modern UI)?
Extract the content of the image from which the Windows workstations are installed?
RESTful call in Java
Bash/sh - difference between && and ;
Pandas every nth row