-
Notifications
You must be signed in to change notification settings - Fork 522
docs: how to change Service Principal credentials? #724
Comments
I think you might need to update the |
Apart from modifying the credentials on each master, it would be also necessary to update There isn't an automated way to renew these credentials from acs-engine? If so, clusters lifecycle would only last until the default expiration of the service principal password, and manual maintenance would be needed to keep the cluster working with Azure. Kops for example, allows to manage credentials for the cluster and rotate them if necessary although some downtime may exist. This kind of cluster rolling update could be a useful feature for acs engine, and also enable other types of features like switching instance type. |
paste my practice about how to update service principal secret in an existing k8s cluster:
To automate this, you may use custom extension to run these scripts in VM, refer to https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution. Note that acs-engine is deprecated--see https://github.com/Azure/aks-engine instead. |
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Is this a request for help?: YES
Is this an ISSUE or FEATURE REQUEST? (choose one): QUESTION
What version of acs-engine?: 0.16.2
Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm): Kubernetes 1.9.7
--client-id
and--client-secret
to set the Service Principal credentials.az ad sp credential reset ...
to set a new password and I can login using the new password.acs-engine
to set the new Service Principal password in a running cluster?I've tried to use
acs-engine deploy
again with the new password in the--client-secret
argument, but it fails with the errorChanging property 'customData' is not allowed.
The text was updated successfully, but these errors were encountered: