step of "az aks create" failed in Azure Cloud Shell

[BellaLi]

Versions
azure-cli (2.0.50)
ACC_VERSION=master_20181107.3

az aks create --resource-group myAKSCluster --name bfAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys
400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 197, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 373, in execute
six.reraise(*sys.exc_info())
File "/opt/az/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 347, in execute
result = cmd(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 182, in call
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/init.py", line 440, in default_command_handler
result = op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/acs/custom.py", line 1458, in aks_create
location=location, name=name)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/acs/custom.py", line 2049, in _ensure_aks_service_principal
service_principal = _build_service_principal(rbac_client, cli_ctx, name, url, client_secret)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/acs/custom.py", line 510, in _build_service_principal
start_date=start_date, end_date=end_date)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/acs/custom.py", line 1175, in create_application
return client.create(app_create_param)
File "/opt/az/lib/python3.6/site-packages/azure/graphrbac/operations/applications_operations.py", line 83, in create
response = self._client.send(request, stream=False, **operation_config)
File "/opt/az/lib/python3.6/site-packages/msrest/service_client.py", line 219, in send
pipeline_response = self.config.pipeline.run(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/init.py", line 203, in run
return first_node.send(pipeline_request, **kwargs) # type: ignore
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/init.py", line 156, in send
response = self.next.send(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/requests.py", line 65, in send
self._creds.signed_session(session)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/adal_authentication.py", line 25, in signed_session
scheme, token, _ = self._token_retriever()
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 497, in _retrieve_token
return self._get_token_from_cloud_shell(resource)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 337, in _get_token_from_cloud_shell
auth = MSIAuthentication(resource=resource)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 576, in init
self.set_token()
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 582, in set_token
self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 485, in get_msi_token
result.raise_for_status()
File "/opt/az/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 6115d555-45a1-6539-4af6-fbc20a99f008
• Version Independent ID: 21f80c83-ba10-9b7e-c54f-51a9c140517c
• Content: Quickstart - Azure Kubernetes cluster for Linux
• Content Source: articles/aks/kubernetes-walkthrough.md
• Service: container-service
• GitHub Login: @iainfoulds
• Microsoft Alias: iainfou

[mimckitt]

Thanks for the feedback! We are currently investigating and will update you shortly.

[brucedkyle]

Me too

[mimckitt]

@BellaLi @brucedkyle I just ran through the doc and was able to create a cluster first try.

micah@Azure:~$ az --version
azure-cli (2.0.50)

micah@Azure:~$ az group create --name MicahAKSCluster2 --location eastus
{
  "id": "/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/MicahAKSCluster2",
  "location": "eastus",
  "managedBy": null,
  "name": "MicahAKSCluster2",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null
}
micah@Azure:~$ az aks create --resource-group MicahAKSCluster2 --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys
 - Running ..
{
  "aadProfile": null,
  "addonProfiles": {
    "omsagent": {
      "config": {
        "logAnalyticsWorkspaceResourceID": "/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX-eus"
      },
      "enabled": true
    }
  },
  "agentPoolProfiles": [
    {
      "count": 1,
      "maxPods": 110,
      "name": "nodepool1",
      "osDiskSizeGb": 30,
      "osType": "Linux",
      "storageProfile": "ManagedDisks",
      "vmSize": "Standard_DS2_v2",
      "vnetSubnetId": null
    }
  ],
  "dnsPrefix": "myAKSClusXXXXXXXXXX-b83c1e",
  "enableRbac": true,
  "fqdn": "myaksclust-micahakscluster2-t-XXXXXXX-XXXX-XXXX-XXXX-X.hcp.eastus.azmk8s.io",
  "id": "/subscriptions/t-XXXXXXX-XXXX-XXXX-XXXX-X/resourcegroups/MicahAKSCluster2/providers/Microsoft.ContainerService/managedClusters/myAKSCluster",
  "kubernetesVersion": "1.9.11",
  "linuxProfile": {
    "adminUsername": "azureuser",
    "ssh": {
      "publicKeys": [
        {
          "keyData": "ssh-rsa t-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
        }
      ]
    }
  },
  "location": "eastus",
  "name": "myAKSCluster",
  "networkProfile": {
    "dnsServiceIp": "XX.XX.0.10",
    "dockerBridgeCidr": "XXX.XX.0.1/16",
    "networkPlugin": "kubenet",
    "networkPolicy": null,
    "podCidr": "XX.XXX.0.0/16",
    "serviceCidr": "XX.XX0.0/16"
  },
  "nodeResourceGroup": "MC_MicahAKSCluster2_myAKSCluster_eastus",
  "provisioningState": "Succeeded",
  "resourceGroup": "MicahAKSCluster2",
  "servicePrincipalProfile": {
    "clientId": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "secret": null
  },
  "tags": null,
  "type": "Microsoft.ContainerService/ManagedClusters"
}

Try deleting the Storage account used for your Cloud shell. Then when you go to start cloud shell again it will have you create a new container with all the correct and updated versions. This might resolve the issue.

[BellaLi]

Sure. Thanks for the investigation!

[BellaLi]

BTW, I had to add a role to yaml file, otherwise browsing Kubernetes Dashboard will complain "user "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list nodes at the cluster scope".

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kube-dashboard
rules:

• apiGroups: [""]
  resources: [""]
  verbs: ["*"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: rook-operator
namespace: rook-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-dashboard
subjects:

• kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

[mimckitt]

@BellaLi thanks for the extra information.

Since you were able to deploy the cluster and I have confirmed the doc works I will close this for now.

If anyone is still having issues just let me know.

[deadlyfingers]

I'm getting an error at the step of creating the cluster az aks create ... with azure-cli 2.0.55 on Mac OS X 10.14.

Error:
az: error: argument _command_package: invalid choice: aks

[deadlyfingers]

Update: got it working after clearing old config from previous azure-cli install and making sure the brew link to python3 was updated ok.
az --version

azure-cli (2.0.55)
...
Python location '/usr/local/opt/python/bin/python3.7'

[ghost]

For the current, default AZ CLI (2.0.60 w/Python 3.6.5) the documented commands fail standalone or in the Cloud Shell. It seems there needs to be some upfront Service Principal work to occur first. As currently documented, starting from scratch the generate-ssh-keys fails.

This provided command sequence fails as it attempts to create a secret with the error, "The password must contain at least 1 special character"

• az group create --name myResourceGroup --location eastus

• az aks create
  --resource-group myResourceGroup
  --name myAKSCluster
  --node-count 1
  --enable-addons monitoring
  --generate-ssh-keys

This sequence of commands works:

• az group create --name myResourceGroup --location eastus

• az ad sp create-for-rbac --skip-assignment

• az aks create
  --resource-group myResourceGroup
  --name myAKSCluster
  --service-principal
  --client-secret

[jluk]

@stevekmicrosoft I just responded to your internal email about this - it only impacts internal tenant deployments through CLI. Should be resolved on next CLI release, this was caused by an unannounced breaking change by AAD and work arounds include non-CLI deployments or using existing SPs.

[justSteve]

@jluk I've just reported getting this error msg to this issue: Azure/azure-cli#9345.