Use --service-principal in az aks create

mathieu-benoit / myakscluster

How to setup a secure Kubernetes cluster on Azure

http://alwaysupalwayson.com/private-aks-and-acr/

11 stars 10 forks source link

Use --service-principal in az aks create #6

Closed mathieu-benoit closed 5 years ago

mathieu-benoit commented 5 years ago

https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal

Important remark: every year you have to update your AKS service principal credentials: https://docs.microsoft.com/en-us/azure/aks/update-credentials

mathieu-benoit commented 5 years ago

az role assignment list --assignee $spId --all -o table

Before az aks create:

Principal            Role         Scope
-------------------  -----------  ----------------------------------------------------------------------------------------------------------------
http://$rg          Contributor        /subscriptions/$subscriptionId

After az aks create:

Principal            Role         Scope
-------------------  -----------  ----------------------------------------------------------------------------------------------------------------
http://$rg          Contributor        /subscriptions/$subscriptionId
http://$rg          Contributor        /subscriptions/$subscriptionId/resourceGroups/MC_$rg_$aks_$location

mathieu-benoit commented 5 years ago

Not working yet with a dedicated SP per AKS cluster, with least privilege and scoped to that AKS resource.

Need to take into account this on the "master" SP:

If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Taken from this: https://www.terraform.io/docs/providers/azurerm/r/azuread_service_principal_password.html

https://github.com/terraform-providers/terraform-provider-azuread/issues/35

I can't do that with the Microsoft's AAD.