Kubelogin giving permission denied

Terraform HCP Terraform
1

Hello there, I started testing kubernetes provider to be used on Azure AKS. Locally, i was able to configure it properly using a service principal. But when testing the same code using Terraform cloud, it returning a permission denied when trying to access kubelogin plugin, this is because when using TF cloud, the workaround was to include the kubelogin binary in the source repo.

My provider looks like the following. Note that on command I’m pointing to my kubelogin binary:

provider "kubernetes" {
  host                   = data.azurerm_kubernetes_cluster.this.kube_config.0.host
  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.this.kube_config.0.cluster_ca_certificate)
  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command = "./kubelogin"
    args = [
      "get-token",
      "--login",
      "spn",
      "--environment",
      "AzurePublicCloud",
      "--tenant-id",
      var.tenant_id,
      "--server-id",
      var.aad_server_id,
      "--client-id",
      var.client_id,
      "--client-secret",
      var.client_secret
    ]
  }
}

And as said, when doing an apply it giving me below message:

Error: Post "https://MY_AKS_CLUSTER:443/api/v1/namespaces": getting credentials: exec: fork/exec ./kubelogin: permission denied

Version I’m using:
hashicorp/azurerm v3.67.0
kubernetes v2.22.0
Terraform v1.5.2

I’m running it from windows, I already tried giving all permissions that I can think of. Any idea? what am I missing here? Let me know if any other detail is required to figure out what would be the solution. Any help will be much appreciated.

2

Hello there!

I found this issue looking for solutions and I was able to find one that it worked on my case, so I share it here in case it helps others even if it’s been long time since the original request.

In our case, we provided all the necessary roles to the Service Principal, but it was still giving 401 Unauthorized, and this was because I was trying to use a wrong --server-id. In the kubelogin documentation they explain that this is the application used by the server side and that the access token accessing AKS clusters need to be issued for this app. When I used this specific guid for the --server-id option, then it started working as expected!

I hope it helps other in the community.