Regarding issues using Kubelogin for AKS with a Service Principal

Terraform Providers Azure
1

Hi guys,

I’m having some issue with my AKS cluster provisioning with Azure AD authentication with Azure RBAC enabled.

I’ve successfully setup the Service Principle and am using that to authenticate my Terraform runner (for my CI/CD) to provision the cluster. Tho’ once the cluster is provisioned, I had issues then automating the deployment of Helm charts, due to not having the proper rights to deploy these after cluster-setup.

I figured Kubelogin with Spn login secret would be the ideal choice, but haven’t been able to make this work succesfully.

In my main.tf file below the ‘azurerm_kubernetes_cluster’ cluster provisioning, I have the following:

provider “kubernetes” {
host = data.azurerm_kubernetes_cluster.aks.kube_config.0.host
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)
exec {
api_version = “client.authentication.k8s.io/v1beta1
command = “./modules/terraform-azurerm-aks/kubelogin”
env = null
args = [
“get-token”,
“–login”,
“spn”,
“–environment”,
“AzurePublicCloud”,
“–tenant-id”,
var.tenant_id,
“–server-id”,
var.server_id,
“–client-id”,
var.client_id,
“–client-secret”,
var.client_secret
]
}
}

And the data-block is as follows:

data “azurerm_kubernetes_cluster” “aks” {
depends_on = [ azurerm_kubernetes_cluster.kubernetes-cluster ]
name = “aks-${local.name_full}”
resource_group_name = var.rg_name
}

Tho’ this still seems to fail and the cluster will complain about the following:
│ Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials

Is there something I’m missing, in terms of retaining this token for the rest of the “session” when the terraform-runner runs.

I tried locally just using the convert-kubeconfig, to verify that the values actually worked- which was a success. Tho’ of course this also changes the actual kubeconfig file to match the values given in the kubeconfig login command. Is it somewhat the same with the above command, or what could I be missing?

Hope it makes sense & someone can help me figure out what’s going wrong :slight_smile: !

Thanks a lot in advance :pray:

2

I am also having issues using kubelogin to access AKS clusters via the Kubernetes provider exec plugin.

No matter what permissions I supply the service principal, Terraform always returns Unauthorized when trying to read or create resources on the AKS cluster.