search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Getting "permission denied" during az aks get-credentials #4746

Closed artisticcheese closed 6 years ago

artisticcheese commented 6 years ago

Environment summary

Shell: Powershell Installed via MSI az --version 2.0.20

Getting permission denied when running az aks get-credentials command. Powershell is being run as administrator

PS C:\Users\admin> az aks get-credentials --resource-group Kubernetes-RG --name=Kubernetes-Cluster
[Errno 13] Permission denied: 'D:\\temp\\tmpl34_mzlt'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'D:\\temp\\tmpl34_mzlt'
mikevh commented 6 years ago

I am also getting this error. Same result when running in an Administrator command window

C:\Users\sifte>az aks get-credentials -g aks -n mvaks
[Errno 13] Permission denied: 'C:\\Users\\sifte\\AppData\\Local\\Temp\\tmp4o2c9ha2'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\sifte\\AppData\\Local\\Temp\\tmp4o2c9ha2

C:\Users\sifte>az --version

azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\sifte\.azure\cliextensions

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal
rbigeard commented 6 years ago

Same here (works fine in WSL/Ubuntu, error only manifests itself with the Windows version of the CLI). I have full access to the Temp dir. I deactivated "Controlled Folder Access" to no avail.

C:\Users\rafb> az aks get-credentials --resource-group myK8Group --name myCluster
[Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'

PS C:\Users\rafb> az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\rafb\.azure\cliextensions'

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal
yugangw-msft commented 6 years ago

@mboersma, please investigate. The possible cause is in the upstream method of aks_get_credentials, the temp file is already opened, and then the downstream merge_kubernetes_configurations tries to open it again. The Windows OS might reject such file re-opening as the first writing file handle is not yet closed.

mikevh commented 6 years ago

Works when running the azure cli from a docker container image azuresdk/azure-cli-python:latest

bash-4.3# az group create -n aks2 -l westus2
Location    Name
----------  ------
westus2     aks2
bash-4.3# az aks create -g aks2 -l westus2 -n mvaks2 --generate-ssh-keys -k 1.8.1 -c 1
SSH key files '/root/.ssh/id_rsa' and '/root/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage like Azure Cloud Shell without an attached file share, back up your keys to a safe location
Location    Name    ResourceGroup
----------  ------  ---------------
westus2     mvaks2  aks2
bash-4.3# az aks get-credentials -n mvaks2 -g aks2
Merged "mvaks2" as current context in /root/.kube/config
bash-4.3# az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.5.2 (default, Dec 27 2016, 21:33:11)
[GCC 5.3.0]

Legal docs and information: aka.ms/AzureCliLegal

bash-4.3#
benc-uk commented 6 years ago

I get this problem when running az in Windows (PowerShell) and also in WSL bash If I use sudo in bash it works, but then I can't use az aks browse to view the dashboard. Help!

On v2.20 CLI in both WSL and Windows

tomconte commented 6 years ago

+1 here on Windows too.

As a workaround, I used the command below to write the YAML to my kubectl config. Careful not to overwrite your existing configuration!

az aks get-credentials -g my-aks -n aks -f - > .kube\config
benc-uk commented 6 years ago

@tomconte I just tried that. When using that config, I get an error. It seems like it is expecting JSON, but the az aks get-credentials -f outputs YAML

couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }
paolosalvatori commented 6 years ago

+1 I get the same error running:

az aks get-credentials --name AksKubernetes --resource-group AksKubernetesResourceGroup

from a command-prompt ran as an administrator.

Note:

I created an ACS\K8s cluster with az acs a few days ago and

az acs get-credentials --name AcsKubernetes --resource-group AcsKubernetesResourceGroup

worked as expected. I'm blocked.

Shell: Command-Prompt (run as administrator) Azure CLI installed via MSI az --version 2.0.20

benc-uk commented 6 years ago

I managed to run the command under sudo in WSL and then copy the ~/.kube/config out to my Windows filesystem e.g. c:\Users\foo\.kube\config to get the kubectl working in PowerShell.

However az aks broswe still fails with permissions problems, and I can't get the Kubernetes dashboard working in AKS via any other means.

This is a big blocker, given that AKS is high profile new service I expect a lot of people will be hitting this. These commands are literally in the Azure docs quick start guide for AKS

tomconte commented 6 years ago

This is definitely a problematic issue. As a workaround, to access the dashboard:

kubectl port-forward kubernetes-dashboard-3427906134-xlrcg 9090 --namespace kube-system

(you might need to change the Pod name; get it using kubectl get all --namespace kube-system)

Then open http://localhost:9090/

ppopadiyn commented 6 years ago

+1 Same error here.

az --version 2.0.20 Windows

artisticcheese commented 6 years ago

Broken in Azure Cloud Powershell as well

PS Azure:\> az aks get-credentials -g Kubernetes-RG -n Kubernetes-Cluster
[Errno 13] Permission denied: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\tmp_xabf6zl'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\tmp_xabf6zl'
artisticcheese commented 6 years ago

Workaround for anybody having the same issue.

  1. Go to Azure Bash cloudshell and execute your command az aks get-credentials -g Kubernetes-RG -n Kubernetes-Cluster
  2. Copy resulting config file to cloud drive cp .kube/config /usr/<your username>/clouddrive/config
  3. Go in Azure portal to your cloudshell storage account and go to Files and find your file share, download it and save it as .kube\config

With this steps it works for me on Windows desktop. browse still broken though.

BlitzkriegSoftware commented 6 years ago

Work around works great, AK AKA BROWSE and other commands are broken still because of the ERR 13, I even assigned my environment variables TMP and TEMP to point to a folder I knew I had full permissions on without any success. I hope a new version is out soon that fixes this issue!

benc-uk commented 6 years ago

Yes really want az aks browse to work, I can find no workaround that lets me access the AKS dashboard.

Do we have an ETA on a fix?

artisticcheese commented 6 years ago

@benc-uk Workaround for browse is to use @tomconte comment above. It works as expected after you got your credentials squared away.

andersarpi commented 6 years ago

My workaround for az aks browse is to run it in Bash on Ubuntu on Windows. Obviously a bit of a hassle if you don’t have it set up, but it works :)

ashipilov commented 6 years ago

Here is the workaround on windows if you don't have any clusters configured yet:

$path = "$env:USERPROFILE\.kube\config"
az aks get-credentials --resource-group=CloudServices --name=CloudServicesKubernetesCluster --file - > $path
(Get-Content $path -Raw).Replace("`r`n","`n") | Set-Content $path -Force

Please note that it will replace existing kubectl configuration

benc-uk commented 6 years ago

Hi @andersarpi, when I try in WSL I get the following error

error: error upgrading connection: error dialing backend: dial tcp 10.240.0.4:10250: getsockopt: connection refused

Looking at the comments in the docs, several other people report the same problem

Are there any other steps you carried out for this to work?

GuofuZhong commented 6 years ago

When could fix it? I try @tomconte 's method but I still face this issue... `C:\Program Files (x86)>az --version azure-cli (2.0.20)

acr (2.0.14) acs (2.0.18) appservice (0.1.19) backup (1.0.2) batch (3.1.6) batchai (0.1.2) billing (0.1.6) cdn (0.0.10) cloud (2.0.9) cognitiveservices (0.1.9) command-modules-nspkg (2.0.1) component (2.0.8) configure (2.0.12) consumption (0.1.6) container (0.1.12) core (2.0.20) cosmosdb (0.1.14) dla (0.0.13) dls (0.0.16) eventgrid (0.1.5) extension (0.0.5) feedback (2.0.6) find (0.2.7) interactive (0.3.11) iot (0.1.13) keyvault (2.0.13) lab (0.0.12) monitor (0.0.11) network (2.0.17) nspkg (3.0.1) profile (2.0.15) rdbms (0.0.8) redis (0.2.10) resource (2.0.17) role (2.0.14) servicefabric (0.0.5) sql (2.0.14) storage (2.0.18) vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\guofzh.azure\cliextensions'

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal D:\Repos\UCM>az aks get-credentials --resource-group=myResourceGroup --name=myK8sCluster [Errno 13] Permission denied: 'C:\Users\guofzh\AppData\Local\Temp\tmp5rihzai5' Traceback (most recent call last): File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main cmd_result = APPLICATION.execute(args) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute result = expanded_arg.func(params) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init.py", line 377, in call return self.handler(*args, *kwargs) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 620, in _execute_command reraise(sys.exc_info()) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise raise value File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\init__.py", line 602, in _execute_command result = op(client, kwargs) if client else op(kwargs) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials merge_kubernetes_configurations(path, additional_file.name) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations with open(addition_file) as stream: PermissionError: [Errno 13] Permission denied: 'C:\Users\guofzh\AppData\Local\Temp\tmp5rihzai5'`

benc-uk commented 6 years ago

Looks like the fix was merged in very recently https://github.com/Azure/azure-cli/pull/4762 So hoping the next release of the CLI will resolve this

BlitzkriegSoftware commented 6 years ago

Any word on release date...???

BlitzkriegSoftware commented 6 years ago

Any word on release date...???

BlitzkriegSoftware commented 6 years ago

Any word on release date...???

BlitzkriegSoftware commented 6 years ago

Any word on release date...???

BlitzkriegSoftware commented 6 years ago

Any word on release date...???

BlitzkriegSoftware commented 6 years ago

Any word on release date...??? I can verify browse does not work in clud shell either.

BlitzkriegSoftware commented 6 years ago

Any word on release date...??? I can verify browse does not work in clud shell either. #4762

derekbekoe commented 6 years ago

We are releasing early next week.

artisticcheese commented 6 years ago

I'm wondering if Microsoft even tests anything on Windows anymore. This issue would have been caught pretty early on since none of showcased steps would work right out of the bat.

firazs commented 6 years ago

The following workaround worked for me: Use '-f=-' to redirect to STDOUT, then redirect output to a file using '>kube.config'

Example: az aks get-credentials -g=resourcegroupname -n=clustername -f=- >kube.config

derekbekoe commented 6 years ago

We have released the new update. It has version number 2.0.21. Get the new MSI at https://aka.ms/InstallAzureCliWindows.