Closed sukruthakittur closed 4 years ago
Hi @sukruthakittur, the client
and object
in the error message returned by Azure is the object id
of the service principal, not to be confused with the clientid
(also known as appId
) and the clientsecret
of the service principal. You can get objectId
of the service principal via az ad sp list --spn <CLIENT ID>
or via the portal.
To fix this issue, can you please make sure you have completed the following steps to give your SP READ access to the keyvault instance and the keyvault objects you want to get?
# Assign Reader Role to the service principal for your keyvault
az role assignment create --role Reader --assignee <principalid> --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/<keyvaultname>
az keyvault set-policy -n $KV_NAME --key-permissions get --spn <YOUR SPN CLIENT ID>
az keyvault set-policy -n $KV_NAME --secret-permissions get --spn <YOUR SPN CLIENT ID>
az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn <YOUR SPN CLIENT ID>
@ritazh Thank you for the quick response. This is very helpful. I will resolve the issue on my end and this issue #119 can be closed.
MountVolume.SetUp failed for volume "kv-vol" : mount command failed, status: Failure, reason: /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, The client 'abc' with object id 'abc' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/subscriptionID/resourceGroups/RSC-GRP/providers/Microsoft.KeyVault/vaults/some-vault' or the scope is invalid. If access was recently granted, please refresh your credentials.
Steps To Reproduce
Add secret like below to Kube kubectl create secret generic kvcreds --from-literal clientid=123 --from-literal clientsecret=456 --type=azure/kv
Deploy flex using the secrets from the above step (kvcreds) kubectl create -f deployment/nginx-flex-kv.yaml
Expected behavior Should create the mount. My confusion is around the error message where, the error says "The client 'abc' with object id 'abc' does not have authorization to perform action". However, I used a different client ID ("123") to add the secret. What am I missing here?
Key Vault FlexVolume version LATEST
Access mode: service principal or pod identity Service Principal
Kubernetes version Client Version: v1.13.2 Server Version: v1.13.7
Additional context