Anyone having issues setting up an aks cluster in ...
# general
Anyone having issues setting up an aks cluster in azure? I manually created a service principal for pulumi to run as, it's got all the permissions i can find but i get this when i try to create a new SP with pulumi
Copy code
SP creating error: Plan apply failed: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-05-07T14:22:29","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"6df1d82f-17bb-48da-94d7-8dd03e6a39fa"}}]
@icy-dress-83371 I believe this is a race in Azure. Let me dig up the bug.
You can work around by running
pulumi up
a second time though.
cc @narrow-area-11460 this is the bug I mentioned earlier
@icy-dress-83371 @creamy-potato-29402 I have been hitting this issue myself -- the error shows up differently for me
"Error: Code="ServicePrincipalNotFound" Message="Service principal clientID: 7cab766e-e8f7-481c-a2a2-f8ec4f642656 not found in Active Directory tenant 706143bc-e1d4-4593-aee2-c9dc60ab9be7"
basically it is a race condition where the Service Principal required by the AKS cluster is not being created on time by the AD and hence AKS cluster creation fails.
someone in TF issued a workaround (this is specific to role assignment but the underlying issue is the same): however it does not work -- will reopen the issue and the issue on our side that was previously closed to track this
This seems to be a different issue, my issue was that the service principal I created does not seem to have the permissions to create another service principal. @creamy-potato-29402 @narrow-area-11460
should be tied to the same race condition - mind sharing your
will look into it and revert back
I do not believe the issue @icy-dress-83371 is hitting is the same issue that @narrow-area-11460 and @creamy-potato-29402 are referring to.
Insufficient privileges to complete the operation.
This suggest that the service principal does not have some permission needed for AKS. I suspect it's related to