search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Failing to attach ACR to AKS with az aks update #17823

Open jamesmcroft opened 3 years ago

jamesmcroft commented 3 years ago

Describe the bug

Recently ran into an issue where our Azure Pipelines were failing due to AKS not pulling contains from the ACR it's associated with.

Decided to check the service principal that is associated with the AKS using az aks show --resource-group {rg-name} --name {aks-name} --query servicePrincipalProfile.clientId followed by az ad sp credential list --id "{id}" --query "[].endDate" which said the expiration was in 2299 so it hasn't actually expired.

So I decided to try az aks update -n {aks-name} -g {rg-name} --attach-acr {acr-name} to make sure it was attached correctly, and received the error below.

This in a way verified the issue we are seeing with the AKS not pulling from the ACR because it too thinks the credentials are invalid.

Command Name az aks update

Errors:

Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace ID: 4d883dc1-f690-4750-9a20-bb70a4086a00\r\nCorrelation ID: 6270a346-27ec-4a57-bfcb-05c2e30ed75b\r\nTimestamp: 2021-04-22 16:13:41Z","error_codes":[7000222],"timestamp":"2021-04-22 16:13:41Z","trace_id":"4d883dc1-f690-4750-9a20-bb70a4086a00","correlation_id":"6270a346-27ec-4a57-bfcb-05c2e30ed75b","error_uri":"https://login.microsoftonline.com/error?code=7000222"} Endpoint https://login.microsoftonline.com/79f4ee44-b070-4e6...

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Expected Behavior

AKS should update with the attached ACR.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.22.1

Additional Context

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details
## Describe the bug Recently ran into an issue where our Azure Pipelines were failing due to AKS not pulling contains from the ACR it's associated with. Decided to check the service principal that is associated with the AKS using `az aks show --resource-group {rg-name} --name {aks-name} --query servicePrincipalProfile.clientId` followed by `az ad sp credential list --id "{id}" --query "[].endDate"` which said the expiration was in 2299 so it hasn't actually expired. So I decided to try `az aks update -n {aks-name} -g {rg-name} --attach-acr {acr-name}` to make sure it was attached correctly, and received the error below. This in a way verified the issue we are seeing with the AKS not pulling from the ACR because it too thinks the credentials are invalid. **Command Name** `az aks update` **Errors:** ``` Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace ID: 4d883dc1-f690-4750-9a20-bb70a4086a00\r\nCorrelation ID: 6270a346-27ec-4a57-bfcb-05c2e30ed75b\r\nTimestamp: 2021-04-22 16:13:41Z","error_codes":[7000222],"timestamp":"2021-04-22 16:13:41Z","trace_id":"4d883dc1-f690-4750-9a20-bb70a4086a00","correlation_id":"6270a346-27ec-4a57-bfcb-05c2e30ed75b","error_uri":"https://login.microsoftonline.com/error?code=7000222"} Endpoint https://login.microsoftonline.com/79f4ee44-b070-4e6... ``` ## To Reproduce: Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. - `az aks update -n {} -g {} --attach-acr {}` ## Expected Behavior AKS should update with the attached ACR. ## Environment Summary ``` Windows-10-10.0.19041-SP0 Python 3.6.8 Installer: MSI azure-cli 2.22.1 ``` ## Additional Context
Author: jamesmcroft
Assignees: -
Labels: `AKS`, `Service Attention`, `needs-triage`, `question`
Milestone: -
yungezz commented 3 years ago

route to appropriate team

kobi86 commented 1 year ago

I have similar issue, When I run: az aks update --resource-group XXX --name XXX --attach-acr XXX

I get: The behavior of this command has been altered by the following extension: aks-preview The command failed with an unexpected error. Here is the traceback: No module named 'azure.cli.command_modules.acs.decorator' Traceback (most recent call last): File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 663, in execute raise ex File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 726, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 697, in _run_job result = cmd_copy(params) File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 333, in call return self.handler(*args, kwargs) File "/opt/homebrew/Cellar/azure-cli/2.43.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler return op(command_args) File "/Users/XXXX/.azure/cliextensions/aks-preview/azext_aks_preview/custom.py", line 945, in aks_update from azure.cli.command_modules.acs.decorator import AKSParamDict ModuleNotFoundError: No module named 'azure.cli.command_modules.acs.decorator'