https://pulumi.com logo
Title
w

wooden-receptionist-75654

11/08/2021, 10:43 AM
Hi Guys, I’m creating AKS cluster with user assigned identity and on first run I get an error
error: Code="CustomKubeletIdentityMissingPermissionError" Message="The cluster user assigned identity must be given permission to assign kubelet identity...
even so I have dependency on it. I have something like this in my code:
const cpIdentity = new managedidentity.UserAssignedIdentity("controlPlaneIdentity", {
  location: `${location}`,
  resourceGroupName: resourceGroup.name,
  resourceName: `${controlPlaneIdentity}`,
});

const kubeletIdentity = new managedidentity.UserAssignedIdentity("kubeletIdentity", {
  location: config.location,
  resourceGroupName: resourceGroup.name,
  resourceName: `${kubeletIdentity}`,
});

const identityRoleAssignment = new authorization.RoleAssignment("controlPlane-ManagedIdentityOperator", {
  principalId: cpIdentity.principalId,
  principalType: "ServicePrincipal",
  roleDefinitionId: `/subscriptions/${config.subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${config.managedIdentityOperatorId}`,
  scope: resourceGroup.id,
});

const cluster = new containerservice.ManagedCluster(
  "aks-cluster",
  {
    ...
    identity: {
      type: "UserAssigned",
      userAssignedIdentities: cpIdentity.id.apply((id) => {
        const dict: { [key: string]: any } = {};
        dict[id] = {};
        return dict;
      }),
    },
    identityProfile: {
      kubeletidentity: {
        clientId: kubeletIdentity.clientId,
        resourceId: kubeletIdentity.id,
        objectId: kubeletIdentity.principalId,
      },
    },
   ....
  },
  { dependsOn: [cpIdentity] }
);
Second re-run successfully deploy cluster. Is there any wait to build a proper dependency on it?
g

great-breakfast-56601

11/08/2021, 11:25 AM
add it to your dependsOn array?
w

wooden-receptionist-75654

11/08/2021, 12:12 PM
@great-breakfast-56601 It’s there, also have kubelet RoleAssigment as well. Didn’t added on example