ritazh
commented
5 years ago @oxhagolli Thanks for the feedback! Will definitely try to make the instructions more clear. Regarding the error you got, it seems the service principal used by the AKS cluster does not have permission to assign the new identity to the VMs. Please try the following command:
az role assignment create --role "Managed Identity Operator" --assignee <sp id> --scope <full id of the managed identity>This step is here for future reference: https://github.com/Azure/kubernetes-keyvault-flexvol#option-2-pod-identity
Is there a way to debug each step in the docs for using keyvault flex volume?
I'm trying to connect keyvault from a different resource group than the AKS cluster. I followed all the steps for AAD Pod Identity, but they're very confusing, especially if you're not super familiar with all the azure concepts. I have a suggestion: specify a command to get every missing piece (clientId, clientSecrets, service principal ids etc...) I spend a whole 15 minutes until I found that directoryId and tenantId are the same thing, so please, please clarify as much as possible where to get each missing piece. On top of that, there's no way for me to know at which step did I mess up. Did all the permission changes go through properly? How can I check?
Lastly, even after following all the steps, I wasn't able to get everything to work: when i run
kubectl get eventsi get the following error: