Azure-cli: Getting "permission denied" during az aks get-credentials

I am also getting this error. Same result when running in an Administrator command window

C:\Users\sifte>az aks get-credentials -g aks -n mvaks
[Errno 13] Permission denied: 'C:\\Users\\sifte\\AppData\\Local\\Temp\\tmp4o2c9ha2'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\sifte\\AppData\\Local\\Temp\\tmp4o2c9ha2

C:\Users\sifte>az --version

azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\sifte\.azure\cliextensions

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Same here (works fine in WSL/Ubuntu, error only manifests itself with the Windows version of the CLI). I have full access to the Temp dir. I deactivated "Controlled Folder Access" to no avail.

C:\Users\rafb> az aks get-credentials --resource-group myK8Group --name myCluster
[Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'

PS C:\Users\rafb> az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\rafb\.azure\cliextensions'

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

@mboersma, please investigate. The possible cause is in the upstream method of aks_get_credentials, the temp file is already opened, and then the downstream merge_kubernetes_configurations tries to open it again. The Windows OS might reject such file re-opening as the first writing file handle is not yet closed.

Works when running the azure cli from a docker container image azuresdk/azure-cli-python:latest

bash-4.3# az group create -n aks2 -l westus2
Location    Name
----------  ------
westus2     aks2
bash-4.3# az aks create -g aks2 -l westus2 -n mvaks2 --generate-ssh-keys -k 1.8.1 -c 1
SSH key files '/root/.ssh/id_rsa' and '/root/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage like Azure Cloud Shell without an attached file share, back up your keys to a safe location
Location    Name    ResourceGroup
----------  ------  ---------------
westus2     mvaks2  aks2
bash-4.3# az aks get-credentials -n mvaks2 -g aks2
Merged "mvaks2" as current context in /root/.kube/config
bash-4.3# az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.5.2 (default, Dec 27 2016, 21:33:11)
[GCC 5.3.0]

Legal docs and information: aka.ms/AzureCliLegal

bash-4.3#

I get this problem when running az in Windows (PowerShell) and also in WSL bash
If I use sudo in bash it works, but then I can't use az aks browse to view the dashboard. Help!

On v2.20 CLI in both WSL and Windows

+1 here on Windows too.

As a workaround, I used the command below to write the YAML to my kubectl config. Careful not to overwrite your existing configuration!

az aks get-credentials -g my-aks -n aks -f - > .kube\config

@tomconte I just tried that. When using that config, I get an error. It seems like it is expecting JSON, but the az aks get-credentials -f outputs YAML

couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }

+1 I get the same error running:

az aks get-credentials --name AksKubernetes --resource-group AksKubernetesResourceGroup

from a command-prompt ran as an administrator.

Note:

I created an ACS\K8s cluster with az acs a few days ago and

az acs get-credentials --name AcsKubernetes --resource-group AcsKubernetesResourceGroup

worked as expected. I'm blocked.

Shell: Command-Prompt (run as administrator)
Azure CLI installed via MSI
az --version 2.0.20

I managed to run the command under sudo in WSL and then copy the ~/.kube/config out to my Windows filesystem e.g. c:\Users\foo\.kube\config to get the kubectl working in PowerShell.

However az aks broswe still fails with permissions problems, and I can't get the Kubernetes dashboard working in AKS via any other means.

This is a big blocker, given that AKS is high profile new service I expect a lot of people will be hitting this. These commands are literally in the Azure docs quick start guide for AKS

This is definitely a problematic issue. As a workaround, to access the dashboard:

kubectl port-forward kubernetes-dashboard-3427906134-xlrcg 9090 --namespace kube-system

(you might need to change the Pod name; get it using kubectl get all --namespace kube-system)

Then open http://localhost:9090/

+1 Same error here.

az --version 2.0.20
Windows

Broken in Azure Cloud Powershell as well

PS Azure:\> az aks get-credentials -g Kubernetes-RG -n Kubernetes-Cluster
[Errno 13] Permission denied: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\tmp_xabf6zl'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\tmp_xabf6zl'

Workaround for anybody having the same issue.

1. Go to Azure Bash cloudshell and execute your command az aks get-credentials -g Kubernetes-RG -n Kubernetes-Cluster
2. Copy resulting config file to cloud drive cp .kube/config /usr/<your username>/clouddrive/config
3. Go in Azure portal to your cloudshell storage account and go to Files and find your file share, download it and save it as .kube\config

With this steps it works for me on Windows desktop. browse still broken though.

Work around works great, AK AKA BROWSE and other commands are broken still because of the ERR 13, I even assigned my environment variables TMP and TEMP to point to a folder I knew I had full permissions on without any success. I hope a new version is out soon that fixes this issue!

Yes really want az aks browse to work, I can find no workaround that lets me access the AKS dashboard.

Do we have an ETA on a fix?

@benc-uk Workaround for browse is to use @tomconte comment above. It works as expected after you got your credentials squared away.

My workaround for az aks browse is to run it in Bash on Ubuntu on Windows. Obviously a bit of a hassle if you don’t have it set up, but it works :)

Here is the workaround on windows if you don't have any clusters configured yet:

$path = "$env:USERPROFILE\.kube\config"
az aks get-credentials --resource-group=CloudServices --name=CloudServicesKubernetesCluster --file - > $path
(Get-Content $path -Raw).Replace("`r`n","`n") | Set-Content $path -Force

Please note that it will replace existing kubectl configuration

Hi @andersarpi, when I try in WSL I get the following error

error: error upgrading connection: error dialing backend: dial tcp 10.240.0.4:10250: getsockopt: connection refused

Looking at the comments in the docs, several other people report the same problem

Are there any other steps you carried out for this to work?

When could fix it?
I try @tomconte 's method but I still face this issue...
`C:\Program Files (x86)>az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\guofzh.azure\cliextensions'

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal
D:\Repos\UCM>az aks get-credentials --resource-group=myResourceGroup --name=myK8sCluster
[Errno 13] Permission denied: 'C:\Users\guofzh\AppData\Local\Temp\tmp5rihzai5'
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\climain.py", line 36, in main
cmd_result = APPLICATION.execute(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\coreapplication.py", line 212, in execute
result = expanded_arg.func(params)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\core\commands__init__.py", line 377, in __call__
return self.handler(args, kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\core\commands__init__.py", line 620, in _execute_command
reraise(sys.exc_info())
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
raise value
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\core\commands__init__.py", line 602, in _execute_command
result = op(client, **kwargs) if client else op(kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\command_modulesacs\custom.py", line 1288, in aks_get_credentials
merge_kubernetes_configurations(path, additional_file.name)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packagesazure\cli\command_modulesacs\custom.py", line 829, in merge_kubernetes_configurations
with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\Users\guofzh\AppData\Local\Temp\tmp5rihzai5'`

Looks like the fix was merged in very recently https://github.com/Azure/azure-cli/pull/4762
So hoping the next release of the CLI will resolve this

Any word on release date...???

Any word on release date...???

Any word on release date...???

Any word on release date...???

Any word on release date...???

Any word on release date...??? I can verify browse does not work in clud shell either.

Any word on release date...??? I can verify browse does not work in clud shell either. #4762

We are releasing early next week.

I'm wondering if Microsoft even tests anything on Windows anymore. This issue would have been caught pretty early on since none of showcased steps would work right out of the bat.

The following workaround worked for me:
Use '-f=-' to redirect to STDOUT, then redirect output to a file using '>kube.config'

Example:
az aks get-credentials -g=resourcegroupname -n=clustername -f=- >kube.config

We have released the new update.
It has version number 2.0.21.
Get the new MSI at https://aka.ms/InstallAzureCliWindows.