Hi Guys I m creating an AKS cluster with UserAssigned Manage Pulumi Community #azure

Hi Guys, I’m creating an AKS cluster with UserAssi...

wooden-receptionist-75654

09/21/2021, 9:22 AM

Hi Guys, I’m creating an AKS cluster with UserAssigned Managed identify and identity for kubelet as well. My code looks like:

Copy code

...
const controlPlaneIdentity = new managedidentity.UserAssignedIdentity("controlPlaneIdentity", {...});
const kubeletIdentity = new managedidentity.UserAssignedIdentity("kubeletIdentity", {...});

const cpManagedIdentityOperator = new authorization.RoleAssignment("controlPlane-ManagedIdentityOperator", {
  principalId: controlPlaneIdentity.principalId,
  principalType: "ServicePrincipal",
  roleDefinitionId:
    "/subscriptions/xxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  scope: resourceGroup.id,
});


const cluster = new containerservice.ManagedCluster( "cluster", {
  ...
    identity: {
      type: "UserAssigned",
      userAssignedIdentities: controlPlaneIdentity.id.apply((id) => {
        const dict: { [key: string]: any } = {};
        dict[id] = {};
        return dict;
      }),
    },
    identityProfile: {
      kubeletidentity: {
        clientId: kubeletIdentity.clientId,
        resourceId: kubeletIdentity.id,
        objectId: kubeletIdentity.principalId,
      },
    },
    ...
  },
  { dependsOn: [cpManagedIdentityOperator, kubeletDnsZoneContributor] }
);

Even thou I have dependencies on cluster resources I got an error on fresh stack creation:

Copy code

The cluster user assigned identity must be given permission to assign kubelet identity /subscriptions/xxxxxxxxxx/resourcegroups/poc-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/poc-aks-kubeletIdentity. Check access result not allowed for action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action.

Am I missing something?

3 Views

Open in Slack

Previous Next