User Assigned Identities property keys should only be empty json objects, null or the resource exisiting property

caldwell2000 · February 16, 2021, 7:31pm

Within the past week azurerm_kubernetes_cluster started throwing and error with no code changes. We are using User Assigned Identities for our AKS cluster. The code in question is below and the resulting error. Any thoughts on what changed or how to troubleshoot the source of the issue?

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
  name                = "aks-${var.suffix}-${var.tags.environment}"
  resource_group_name = data.azurerm_resource_group.aks_rg.name
  location            = data.azurerm_resource_group.aks_rg.location
}

# Assign "Network Contributor rol on the resource group containing the subnet where the aks cluster will be deployed
resource "azurerm_role_assignment" "aks_role" {
  scope                = data.azurerm_resource_group.aks_vnet.id
  role_definition_name = "Network Contributor"
  principal_id         = azurerm_user_assigned_identity.aks_id.principal_id
}

# Create AKS Cluster
resource "azurerm_kubernetes_cluster" "main" {
......
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.aks_id.id
}
}

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
name = "aks-${var.suffix}-${var.tags.environment}"
resource_group_name = data.azurerm_resource_group.aks_rg.name
location = data.azurerm_resource_group.aks_rg.location
}

Error: updating Managed Kubernetes Cluster "bokf-4321-dev-eastus-aks-enterprise" (Resource Group "bokf-4321-dev-eastus-rg-enterprise-aks"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidIdentityValues" Message="Invalid value for the identities '/subscriptions/xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxx-4321-dev-eastus-rg-enterprise-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-enterprise-dev'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property."
on .terraform/modules/aks/modules/compute/aks/aks_module.tf line 86, in resource "azurerm_kubernetes_cluster" "main":
86: resource "azurerm_kubernetes_cluster" "main" {

caldwell2000 · February 16, 2021, 3:05pm

I can delete the AKS cluster and recreate it from scratch without error. If I then try to make no changes to the terraform code and simply run another apply. I get the same error. The only way to get past this error is to delete the AKS cluster and recreate any time I run an apply regardless of any or no changes to the code. Please advise.

camille.mahaut · March 17, 2021, 12:09am

I have the same issue, do you have a workarround ?

dutsmiller · March 17, 2021, 5:52pm

I am also having the same issue.

aei · March 21, 2021, 10:22pm

I’m also facing this issue now.

vjavle · April 2, 2021, 2:16pm

Just faced it today.

Error: updating Managed Kubernetes Cluster “aks-cluster-name” (Resource Group “resourcegroup_xxxx”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“InvalidIdentityValues”
Message=“Invalid value for the identities ‘/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/resourcegroup_xxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks_user_identity_xxxx’.
The ‘UserAssignedIdentities’ property keys should only be empty json objects, null or the resource exisiting property.”

Daniel858 · April 8, 2021, 7:08am

We also just encountered this problem. We use a user assigned managed identity that has the “Network Contributor” role on our Vnet for our K8s cluster. Creating and recreating the cluster works fine, but when we try to make changes to an exisiting cluster (e.g. increase node count), we also get this error message:

Error: updating Managed Kubernetes Cluster “cluster-name” (Resource Group “resource-group-name”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“InvalidIdentityValues” Message=“Invalid value for the identities ‘/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-assigned-identity-name’. The ‘UserAssignedIdentities’ property keys should only be empty json objects, null or the resource exisiting property.”

Does somebody know how to solve this?

asnowfix · June 3, 2021, 4:01pm

See r/kubernetes_cluster: api returns InvalidIdentityValues during update · Issue #10406 · terraform-providers/terraform-provider-azurerm · GitHub. Seems like the issue was fixed w/ azurerm >= 2.57