User Assigned Identities property keys should only be empty json objects, null or the resource exisiting property

Within the past week azurerm_kubernetes_cluster started throwing and error with no code changes. We are using User Assigned Identities for our AKS cluster. The code in question is below and the resulting error. Any thoughts on what changed or how to troubleshoot the source of the issue?

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
  name                = "aks-${var.suffix}-${var.tags.environment}"
  resource_group_name = data.azurerm_resource_group.aks_rg.name
  location            = data.azurerm_resource_group.aks_rg.location
}

# Assign "Network Contributor rol on the resource group containing the subnet where the aks cluster will be deployed
resource "azurerm_role_assignment" "aks_role" {
  scope                = data.azurerm_resource_group.aks_vnet.id
  role_definition_name = "Network Contributor"
  principal_id         = azurerm_user_assigned_identity.aks_id.principal_id
}

# Create AKS Cluster
resource "azurerm_kubernetes_cluster" "main" {
......
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.aks_id.id
}
}

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
name = "aks-${var.suffix}-${var.tags.environment}"
resource_group_name = data.azurerm_resource_group.aks_rg.name
location = data.azurerm_resource_group.aks_rg.location
}

Error: updating Managed Kubernetes Cluster "bokf-4321-dev-eastus-aks-enterprise" (Resource Group "bokf-4321-dev-eastus-rg-enterprise-aks"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidIdentityValues" Message="Invalid value for the identities '/subscriptions/xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxx-4321-dev-eastus-rg-enterprise-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-enterprise-dev'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property."
on .terraform/modules/aks/modules/compute/aks/aks_module.tf line 86, in resource "azurerm_kubernetes_cluster" "main":
86: resource "azurerm_kubernetes_cluster" "main" {

I can delete the AKS cluster and recreate it from scratch without error. If I then try to make no changes to the terraform code and simply run another apply. I get the same error. The only way to get past this error is to delete the AKS cluster and recreate any time I run an apply regardless of any or no changes to the code. Please advise.

I have the same issue, do you have a workarround ?

I am also having the same issue.

I’m also facing this issue now.

Just faced it today.

Error: updating Managed Kubernetes Cluster “aks-cluster-name” (Resource Group “resourcegroup_xxxx”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“InvalidIdentityValues”
Message=“Invalid value for the identities ‘/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/resourcegroup_xxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks_user_identity_xxxx’.
The ‘UserAssignedIdentities’ property keys should only be empty json objects, null or the resource exisiting property.”

We also just encountered this problem. We use a user assigned managed identity that has the “Network Contributor” role on our Vnet for our K8s cluster. Creating and recreating the cluster works fine, but when we try to make changes to an exisiting cluster (e.g. increase node count), we also get this error message:

Error: updating Managed Kubernetes Cluster “cluster-name” (Resource Group “resource-group-name”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“InvalidIdentityValues” Message=“Invalid value for the identities ‘/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-assigned-identity-name’. The ‘UserAssignedIdentities’ property keys should only be empty json objects, null or the resource exisiting property.”

Does somebody know how to solve this?

See r/kubernetes_cluster: api returns InvalidIdentityValues during update · Issue #10406 · terraform-providers/terraform-provider-azurerm · GitHub. Seems like the issue was fixed w/ azurerm >= 2.57

Hmm - I am still seeing it in 2.63.0.

│ Error: updating Managed Kubernetes Cluster "cluster" (Resource Group "grp"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidIdentityValues" Message="Invalid value for the identities '/subscriptions/nnn/resourcegroups/grp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cluster_identity'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property."
│ 
│   with module.k8s_wrapper["cluster"].azurerm_kubernetes_cluster.k8s_cluster,
│   on common/azure_k8s/k8s.tf line 34, in resource "azurerm_kubernetes_cluster" "k8s_cluster":
│   34: resource "azurerm_kubernetes_cluster" "k8s_cluster" {
│ 
╵

It seems that if I modify a cluster (ie pools size, version) it happens once, but goes away on a rerun. Is there some update to the state format that is vaguely incompatible here? Either in the AzureRM provider or terraform 1.0?

I get the same error with azure-sdk-for-go trying to change vmss settings on azure. So it seems to be a bug in the azure api