Azure-docs: az aks create command requires ServicePrincipleProfile
Running the following command to create the cluster fails with the error:
Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '401'.
Command used
PASSWORD_WIN="P@ssw0rd1234"
az aks create \
--resource-group shboyer-aks \
--name shboyer-dev-cluster \
--node-count 1 \
--enable-addons monitoring \
--kubernetes-version 1.14.0 \
--generate-ssh-keys \
--windows-admin-password $PASSWORD_WIN \
--windows-admin-username azureuser \
--enable-vmss \
--network-plugin azure
Even when --disable-rbac is passed, ServicePrincipal is required.
reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 8c420b2c-e868-9a6a-49fb-913f2cd007ef
- Version Independent ID: 5c543e08-7d75-21eb-9510-22e2cd56d16b
- Content: Use multiple node pools in Azure Kubernetes Service (AKS)
- Content Source: articles/aks/use-multiple-node-pools.md
- Service: container-service
- GitHub Login: @iainfoulds
- Microsoft Alias: iainfou
spboyer
All 5 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
mimckitt
on 31 May 2019
@spboyer could it be your local cached SP credentials have expired?
Try to delete your cached $HOME/.azure/aksServicePrincipal.json or explicitly pass the SP parameters via
--service principal <SP_ID> --client-secret <SP_Password>
palma21
on 31 May 2019
@palma21 Good point. file created 02/07/2018. Year has passed. Error message should be better.
--disable-rbac should not look for the file, nor principal though correct?
spboyer
on 31 May 2019
it will always look for the SP in other to give it permissions as network contrib to the azure subnet. will also need it later on to expose svcs through LBs.
We just added that message which is now doing pre-flight validation of the SPs credentials to avoid clusters in a bad state. Let me see how we can improve the text, thanks for the feedback.
palma21
on 31 May 2019
Updated the service principal doc to add a troubleshooting note to check for credential file expiration. That PR has merged and will go live during the next publication cycle early Monday morning PST.
iainfoulds
on 1 Jun 2019
Related issues
jharbieh
·
3Comments
JeffLoo-ong
·
3Comments
bityob
·
3Comments
Agazoth
·
3Comments
paulmarshall
·
3Comments
Most helpful comment
Updated the service principal doc to add a troubleshooting note to check for credential file expiration. That PR has merged and will go live during the next publication cycle early Monday morning PST.