Login using an aad service account on an aad integrated aks

[adasseville]

Hi,

Based on this #235 comment, I'm trying to connect to an aad integrated aks instance. For a non aad integrated cluster this works fine, but for an aad integrated cluster the kubeConfigFileContent generated by the code snippet below is missing the "access-token" config key in the azure auth-provider section.

var client = Azure
 .Configure()
 .Authenticate(credentials)
 .WithSubscription(subscription);
var kubeConfigFileContent = client.KubernetesClusters
 .GetUserKubeConfigContentsAsync(resourceGroup, clusterName).Result;

This means the sdk fails to build the KubernetesClientConfiguration object throwing this error. This is because the access-token is required for method SetUserDetails to work with the azure auth provider. This all makes sense to me. However I do not understand, or am unable to create a kubeConfigFileContent containing an access-token. I tried naively to generate an access token myself to later inject in the kubeConfigFileContent and succeeded in generating the token itself, but failed to get it to work.

string resourceUri = "my-correct-resource-uri";
string authorityUri = "https://login.windows.net/common/oauth2/" + tenantId;
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authorityUri);

var clientCredential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientId, clientSecret);
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult token = authContext.AcquireTokenAsync(resourceUri, clientCredential).Result; 

Namely because the generated access token is not accepted by the k8s api which throws 401 when trying to use it.

Is it at all possible to use a aad service account for this scenario? Am I missing something? Do I need to specify specific arguments when requesting the access token? Do I need to grant specific api access to the service account to make it work?
I'm a bit puzzled here and hope someone can point me in the right direction.

Thanks a lot.

[brendandburns]

Do you have a kubeconfig file that works with kubectl?

If you use that kubectl file with this client it should all work correctly.

That's the best tested path.

Let me know if that doesn't work, or if there are more questions.

[adasseville]

Yes I have a kubeconfig working with a named aad "user" (by using az aks get-credentials), but not for a service principal. I did not succeed in creating one with the service principle for the azure auth-provider containing an access token.

[brendandburns]

Ah, yes, I missed the Service Principal part. AAD + Kubernetes doesn't currently support service accounts unfortunately, it only supports interactive login.

We're working on improving that in the upstream Kubernetes.

[adasseville]

Thanks @brendandburns
Any way I can track progress on that feature(request) ?

[brendandburns]

You can file an issue here:
https://github.com/Azure/AKS

If you'd like, please reference this issue in that one.

[adasseville]

Thanks for your feedback.
I ended up voting on the feature request here: https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35146387-support-non-interactive-login-for-aad-integrated-c