Azure-docs: RBAC failing on AKS

@kapopken Thanks for the feedback! We are currently investigating and will update you shortly.

I encountered a problem at the same step. But I got another message...

$kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <CODE> to authenticate.E0618 15:31:51.676757     888 azure.go:126] Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error

It is much appreciated that if you could advice me, thanks!

@ToruMakabe verify that you have your delegated permissions set up for your server registration. That could cause your issues.

@kapopken Thanks. But the permissions looks correct.

[AKSAADServer]
API NAME                        TYPE            PERMISSION                      GRANTED THROUGH
-----------------------------------------------------------------------------------------------
Microsoft Graph                 Application     Read directory data             Admin consent
Microsoft Graph                 Delegated       Sign in and read user profile   Admin consent
Microsoft Graph                 Delegated       Read directory data             Admin consent
Windows Azure Active Directory  Delegated       Sign in and read user profile   Admin consent


[AKSAADClient]
API NAME                        TYPE            PERMISSION                      GRANTED THROUGH
-----------------------------------------------------------------------------------------------
AKSAADServer                    Delegated       Access AKSAADServer             Admin consent
Windows Azure Active Directory  Delegated       Sign in and read user profile   Admin consent

Any help would be appreciated.

@ToruMakabe Those look correct. Have you tried a --v=9 to see if there is any useful messages?

@kapopken Umm... It seems there is no useful messages...

$ kubectl get node --v=9
I0619 08:15:44.622211     142 loader.go:357] Config loaded from file /home/me/.kube/config
I0619 08:15:44.660433     142 round_trippers.go:386] curl -k -v -XGET  -H "Accept: application/json" -H "User-Agent: kubectl/v1.10.4 (linux/amd64) kubernetes/5ca598b" https://mycluster.hcp.westus2.azmk8s.io:443/api/v1/nodes?limit=500
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CODE to authenticate.
E0619 08:16:57.848876     142 azure.go:126] Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error
I0619 08:16:57.852569     142 round_trippers.go:405] GET https://mycluster.hcp.westus2.azmk8s.io:443/api/v1/nodes?limit=500  in 73190 milliseconds
I0619 08:16:57.853396     142 round_trippers.go:411] Response Headers:
I0619 08:16:57.857568     142 helpers.go:219] Connection error: Get https://mycluster.hcp.westus2.azmk8s.io:443/api/v1/nodes?limit=500: acquiring a token for authorization header: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error
F0619 08:16:57.858797     142 helpers.go:119] Unable to connect to the server: acquiring a token for authorization header: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error

@ToruMakabe nope not very helpful. Looking at the code, https://github.com/kubernetes/client-go/blob/master/vendor/github.com/Azure/go-autorest/autorest/adal/devicetoken.go. That error is generated after entering the device token. It is failing on client credentials grant. Is your AKSAADClient listed as a Native Application? Line 210

@kapopken Thanks! I made a mistake. I re-created AAD clinet app as Native, then it has progressed. So now, I got a message "error: You must be logged in to the server (Unauthorized)" as you got. I will wait for update from @BryanTrach-MSFT .

@BryanTrach-MSFT Any word on this?

@neilpeterson could you advise on this one?

@ToruMakabe Are you using a VS subscription or corp subscription?

I have also seen this issue when using a hotmail.com account.

@neilpeterson I'm using a msn account

@amanohar can you confirm that this issue may be related to the msn account?

Thanks

@neilpeterson @amanohar I can confirm this is the account associated with my Azure Directory appropriately.

@dstrebel @neilpeterson @amanohar Thank you for your help! The followings are my config.

• AKS Cluster: MS Corp Internal Subscription
• AAD Tenant for AKS Cluster Resource: MS Corp
• AAD Tenant for AKS Auth: My private one, associated with VS Subscription
• kubectl Login User: MS Corp Work account, but as B2B guest of my private AAD tenant

MSCorp wont work unless you have requested from Internal the correct permission to create a App registration. VS subscription you need to have a 'user.onmicrosoft.com' account for binding and when you login. You cannot use a outlook or live account for authentication.

@dstrebel Thanks! I have logged in & operate k8s resource successfully with my private AAD member account '[email protected]', not B2B guest account '[email protected]'. Anyway, do you know any plan to support AAD B2B guest account?

@neilpeterson @amanohar Any guidance on this? I have confirmed I'm using a microsoft account and that the token generated is correct this is my yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: contoso-cluster-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:

• apiGroup: rbac.authorization.k8s.io
  kind: User
  name: "[email protected]"

Also what about group support is what I really want. I tried using
kind: Group
name: GroupGuid

@dstrebel Thanks for the help everyone. I was able to get goups and users logged in. I missed the Grant Permission button after added required permissions to my application.

Hello, I am facing the same issue. I have setup my client as native and I am using [email protected] account. But I am still not able to get it working. Any help will be great.

@chetanku are you using groups or roles? If groups make sure it is the Group object ID

@kapopken I am using roles.

@chetanku can you post your Rolebinding

@kapopken here is the file:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-roles
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: "[email protected]"

I am following this link: https://docs.microsoft.com/en-us/azure/aks/aad-integration

To make it work I had to Grant Permissions( Home
Default Directory - App registrations - AppName - Settings - Required Permissions - Grant Permission) in the azure portal for the server app which is a Web app / API app type. My initial understanding was this step is necessary only for the client application which is a native app type. Is this how it is supposed to be done?

I have followed the doc https://docs.microsoft.com/en-us/azure/aks/aad-integration,
could able to perform the checks as in doc.

Issue is while to try to interact with my cluster from Ubuntu client it prompts to logon to https://microsoft.com/devicelogin using code and succeeds in web page, but in CLI am seeing the Oauth failure - not sure what is wrong.

Sharing the error info as below, any help is much appreciated !

raja@raja-VirtualBox:~$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BEA87VG84 to authenticate.
E1011 11:53:17.299643 11769 azure.go:126] Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code B7YRLNFZ9 to authenticate.

I am also have the same issue as RajSelv

I was able to fix this issue with Azure AD v2 application by setting the following in the client manifest:

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true,
"signInAudience": "AzureADMultipleOrgs",

I found that:

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true

Was enough in my case. Thank you very much

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true

worked for me too. Thanks!

Reflected in doc:
https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration

In the left pane of the Azure AD application, select Authentication.

Under Default client type, select Yes to Treat the client as a public client.

No workarounds as mentioned as above worked for me, need real help here I have followed all the standard doc like below:
Follow and implement :
AAD integration with AKS: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
Manual setting with the above link: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration
RBAC(User and Group Role) : https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac

Quick Fix: is to go to your AAD client manifest file and changed the value of property "allowPublicClient": true, from null