New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login using an aad service account on an aad integrated aks #354
Comments
Do you have a kubeconfig file that works with If you use that kubectl file with this client it should all work correctly. That's the best tested path. Let me know if that doesn't work, or if there are more questions. |
Yes I have a kubeconfig working with a named aad "user" (by using az aks get-credentials), but not for a service principal. I did not succeed in creating one with the service principle for the azure auth-provider containing an access token. |
Ah, yes, I missed the Service Principal part. AAD + Kubernetes doesn't currently support service accounts unfortunately, it only supports interactive login. We're working on improving that in the upstream Kubernetes. |
Thanks @brendandburns |
You can file an issue here: If you'd like, please reference this issue in that one. |
Thanks for your feedback. |
Hi,
Based on this #235 comment, I'm trying to connect to an aad integrated aks instance. For a non aad integrated cluster this works fine, but for an aad integrated cluster the kubeConfigFileContent generated by the code snippet below is missing the "access-token" config key in the azure auth-provider section.
This means the sdk fails to build the KubernetesClientConfiguration object throwing this error. This is because the access-token is required for method SetUserDetails to work with the azure auth provider. This all makes sense to me. However I do not understand, or am unable to create a kubeConfigFileContent containing an access-token. I tried naively to generate an access token myself to later inject in the kubeConfigFileContent and succeeded in generating the token itself, but failed to get it to work.
Namely because the generated access token is not accepted by the k8s api which throws 401 when trying to use it.
Is it at all possible to use a aad service account for this scenario? Am I missing something? Do I need to specify specific arguments when requesting the access token? Do I need to grant specific api access to the service account to make it work?
I'm a bit puzzled here and hope someone can point me in the right direction.
Thanks a lot.
The text was updated successfully, but these errors were encountered: