wooden-receptionist-75654
09/21/2021, 9:22 AM...
const controlPlaneIdentity = new managedidentity.UserAssignedIdentity("controlPlaneIdentity", {...});
const kubeletIdentity = new managedidentity.UserAssignedIdentity("kubeletIdentity", {...});
const cpManagedIdentityOperator = new authorization.RoleAssignment("controlPlane-ManagedIdentityOperator", {
principalId: controlPlaneIdentity.principalId,
principalType: "ServicePrincipal",
roleDefinitionId:
"/subscriptions/xxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
scope: resourceGroup.id,
});
const cluster = new containerservice.ManagedCluster( "cluster", {
...
identity: {
type: "UserAssigned",
userAssignedIdentities: controlPlaneIdentity.id.apply((id) => {
const dict: { [key: string]: any } = {};
dict[id] = {};
return dict;
}),
},
identityProfile: {
kubeletidentity: {
clientId: kubeletIdentity.clientId,
resourceId: kubeletIdentity.id,
objectId: kubeletIdentity.principalId,
},
},
...
},
{ dependsOn: [cpManagedIdentityOperator, kubeletDnsZoneContributor] }
);
Even thou I have dependencies on cluster resources I got an error on fresh stack creation:
The cluster user assigned identity must be given permission to assign kubelet identity /subscriptions/xxxxxxxxxx/resourcegroups/poc-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/poc-aks-kubeletIdentity. Check access result not allowed for action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action.
Am I missing something?