Unable to create rolebinding with Trusted Access - can't find role

[rk9qn3j]

Describe the bug

Hi,

I'm trying to setup backup for AKS according to the documentation (https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-manage-backups), but aren't able to complete the last step, Trusted Access related operations (https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-manage-backups#trusted-access-related-operations) as it results in an InvalidParameter error for some reason.

Related command

$ az aks trustedaccess role list --location westeurope -o table
Name                         SourceResourceType
---------------------------  --------------------------------------------
backup-operator              Microsoft.DataProtection/backupVaults
mlworkload                   Microsoft.MachineLearningServices/workspaces
inference-v1                 Microsoft.MachineLearningServices/workspaces
microsoft-defender-operator  Microsoft.Security/pricings

Errors

$ az aks trustedaccess rolebinding create -g xxx-${AZURE_ENVIRONMENT} -n trustedaccesstest --cluster-name xxx-${AZURE_ENVIRONMENT} --source-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx --roles Microsoft.DataProtection/backupVaults/backup-operator
(InvalidParameter) The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Code: InvalidParameter
Message: The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Target: properties.roles

Issue script & Debug output

$ az aks trustedaccess rolebinding create -g xxx-${AZURE_ENVIRONMENT} -n trustedaccesstest --cluster-name xxx-${AZURE_ENVIRONMENT} --source-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx --roles Microsoft.DataProtection/backupVaults/backup-operator --debug
cli.knack.cli: Command arguments: ['aks', 'trustedaccess', 'rolebinding', 'create', '-g', 'xxx', '-n', 'trustedaccesstest', '--cluster-name', 'xxx', '--source-resource-id', '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx', '--roles', 'Microsoft.DataProtection/backupVaults/backup-operator', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fa05208c400>, <function OutputProducer.on_global_arguments at 0x7fa051feb9c0>, <function CLIQuery.on_global_arguments at 0x7fa0520214e0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'aks': ['azext_aks_preview', 'azure.cli.command_modules.acs']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: acs                       0.034         6        48
cli.azure.cli.core: Total (1)                 0.034         6        48
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.knack.cli: Event: CommandLoader.OnLoadCommandTable []
cli.azure.cli.core: aks-preview               0.002        14        75  /home/xxx/.azure/cliextensions/aks-preview
cli.azure.cli.core: Total (1)                 0.002        14        75  
cli.azure.cli.core: Loaded 16 groups, 86 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : aks trustedaccess rolebinding create
cli.azure.cli.core: Command table: aks trustedaccess rolebinding create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fa050a2e3e0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/xxx/.azure/commands/2023-08-15.16-44-41.aks_trustedaccess_rolebinding_create.237995.log'.
az_command_data_logger: command args: aks trustedaccess rolebinding create -g {} -n {} --cluster-name {} --source-resource-id {} --roles {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fa050a5c360>]
cli.knack.cli: Event: CommandLoader.OnLoadArguments []
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fa050a868e0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fa050a86a20>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fa051feba60>, <function CLIQuery.handle_query_parameter at 0x7fa052021580>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fa050a86980>]
az_command_data_logger: extension name: aks-preview
az_command_data_logger: extension version: 0.5.152
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerServiceClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/xxx/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/xxx/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/xxx/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/xxx/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/xxx/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/xxx/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/xxx/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/xxx/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/xxx/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 9ec976f5-032b-41ff-83ce-ae4fca1433d1
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/xxx/trustedAccessRoleBindings/trustedaccesstest?api-version=2023-06-02-preview'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '443558a6-3b7a-11ee-b7a0-64497d8eb976'
cli.azure.cli.core.sdk.policies:     'CommandName': 'aks trustedaccess rolebinding create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-g -n --cluster-name --source-resource-id --roles --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.50.0 (RPM) azsdk-python-azure-mgmt-containerservice/24.0.0b Python/3.11.4 (Linux-6.4.10-200.fc38.x86_64-x86_64-with-glibc2.37)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/xxx/trustedAccessRoleBindings/trustedaccesstest?api-version=2023-06-02-preview HTTP/1.1" 404 426
cli.azure.cli.core.sdk.policies: Response status: 404
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '426'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '11998'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'b79612bc-a665-431c-801e-c714006356ce'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '925fb09f-c451-468a-8920-de03aea5de85'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'nginx'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'SWEDENSOUTH:20230815T144441Z:b79612bc-a665-431c-801e-c714006356ce'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 15 Aug 2023 14:44:41 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "code": "NotFound",
  "details": [
   {
    "code": "Unspecified",
    "message": "rpc error: code = NotFound desc = TrustedAccessRoleBinding not found"
   }
  ],
  "message": "Could not find the trusted access role binding trustedaccesstest in subscription: xxx, resourceGroup: xxx, clusterName: xxx.",
  "subcode": "GetTrustedAccessRoleBinding_NotFound"
 }
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/xxx/trustedAccessRoleBindings/trustedaccesstest?api-version=2023-06-02-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '248'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '443558a6-3b7a-11ee-b7a0-64497d8eb976'
cli.azure.cli.core.sdk.policies:     'CommandName': 'aks trustedaccess rolebinding create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-g -n --cluster-name --source-resource-id --roles --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.50.0 (RPM) azsdk-python-azure-mgmt-containerservice/24.0.0b Python/3.11.4 (Linux-6.4.10-200.fc38.x86_64-x86_64-with-glibc2.37)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"sourceResourceId": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx", "roles": ["Microsoft.DataProtection/backupVaults/backup-operator"]}}
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/xxx/trustedAccessRoleBindings/trustedaccesstest?api-version=2023-06-02-preview HTTP/1.1" 400 288
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '288'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1198'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'c30dd5ff-36e4-4fd1-8bf8-f6e01069b4a2'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '4e4b4ed0-66ba-47d2-92da-9fd1381128cd'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Server': 'nginx'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'SWEDENSOUTH:20230815T144442Z:c30dd5ff-36e4-4fd1-8bf8-f6e01069b4a2'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 15 Aug 2023 14:44:41 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "code": "InvalidParameter",
  "details": null,
  "message": "The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.",
  "subcode": "",
  "target": "properties.roles"
 }
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/home/xxx/.azure/cliextensions/aks-preview/azext_aks_preview/custom.py", line 2383, in aks_trustedaccess_role_binding_create
    return client.create_or_update(resource_group_name, cluster_name, role_binding_name, roleBinding)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/xxx/.azure/cliextensions/aks-preview/azext_aks_preview/vendored_sdks/azure_mgmt_preview_aks/v2023_06_02_preview/operations/_trusted_access_role_bindings_operations.py", line 576, in create_or_update
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (InvalidParameter) The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Code: InvalidParameter
Message: The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Target: properties.roles

cli.azure.cli.core.azclierror: (InvalidParameter) The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Code: InvalidParameter
Message: The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Target: properties.roles
az_command_data_logger: (InvalidParameter) The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Code: InvalidParameter
Message: The value of parameter properties.roles is invalid. Error details: role must begin with source resource type. Please see https://aka.ms/aks-naming-rules for more details.
Target: properties.roles
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fa050a2e660>]
az_command_data_logger: exit code: 1
cli.azure.cli.__main__: Command ran in 1.053 seconds (init: 0.130, invoke: 0.922)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4059 in cache

Expected behavior

The command should create Trusted Access between the backup vault and AKS cluster.

Environment Summary

azure-cli 2.50.0 *

core 2.50.0 telemetry 1.0.8

Extensions: aks-preview 0.5.152 k8s-extension 1.4.2

Dependencies: msal 1.22.0 azure-mgmt-resource 23.1.0b2

Python location '/usr/bin/python3' Extensions directory '/home/xxx/.azure/cliextensions'

Python (Linux) 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)]

Additional context

No response

[azure-client-tools-bot-prd[bot]]

Hi @rk9qn3j,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[navba-MSFT]

@rk9qn3j Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

[CocoWang-wql]

Checking it

[YitongFeng-git]

--source-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx --roles Microsoft.DataProtection/backupVaults/backup-operator

These two must be equal.

If you want to use "Microsoft.DataProtection/backupVaults/backup-operator" role to access an aks, this role can only bind to your resource which is Microsoft.DataProtection type that is --source-resource-id /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.DataProtection. If you want resource /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx to access aks, you should bind roles with --roles Microsoft.RecoveryServices/xxxxx

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

[rk9qn3j]

@YitongFeng-git Okay, I assumed from the documentation, that I could just use the role stated in the example. Is there an equivalent to backup-operator, but under Microsoft.RecoveryServices?

[CocoWang-wql]

Hello @rk9qn3j It depends on which roles are provided by Azure backup service. I will loop Azure backup PM here.

[rk9qn3j]

Any update on this?

[rajats22]

Hi @rk9qn3j,

AKS Backup is only available with Backup Vault (Microsoft.DataProtection). It is not available with Recovery Services Vault (Microsoft.RecoveryServices). Please user Backup Vault to protect your AKS clusters.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

[rk9qn3j]

Got it! Thanks!