https://pulumi.com logo
Join Slack
Powered by
Hi, I'm struggling with programmatically getting t...
# azure
l
Hi, I'm struggling with programmatically getting the identity of an aks cluster identity - I need to add some more permissions to it. It does not match the aks cluster name, and I can't seem to find any "link" between them. Anyone found a way?
This was much harder than I thought It would be. Trying with :
Copy code
var lookupManagedCluster = GetManagedCluster.Invoke(new GetManagedClusterInvokeArgs
        {
            ResourceGroupName = rgName,
            ResourceName = cluster.Name
        });

        
        var kubernetesIdentityNetworkRoleAssignment = new RoleAssignment("kubernetesIdentityNetworkRoleAssignment", new RoleAssignmentArgs
        {
            PrincipalId = lookupManagedCluster.Apply(c => c.Identity.PrincipalId),
            PrincipalType = PrincipalType.ServicePrincipal,
            // "network contributor"
            RoleDefinitionId = C.AzureNetworkContributorRoleId,
            // Cluster needs access to network in order to provision extra load balancers
            Scope = $"/subscriptions/{currentSubscription}/resourceGroups/{networkResourceGroup}",
        });
but the PrincipalId is always null - that could be a bug in the containerservice thing I guess. Hm. Tricky this.
f
I dont use AKS, but the normal Azure rules might apply. Did you assign a System Assigned identity to the cluster when you created it? If you didn’t say it should have an identity, it won’t get one.
l
I did. I realized I can pull the ID from that obj xt, not the cluster. Still feeling like there's a bug here - what I'm trying to do should be possible
f
Part of the structure in Azure is because it has to be there for historical reasons and part of it depends on how they decided to implement it. It’s a mess
l
So it could be an Azure bug? Thanks!
2 Views
Open in Slack
PreviousNext
Powered by