I've acquired one of the Microsoft templates for CI/CD using: Jenkins, Docker (ACS), Kubernetes (AKS). This template comes with a pipeline example, but when trying to start it I present the following error trying to do the integration with Azure Kubernetes (AKS):
Starting Azure Container Service / Kubernetes Service Deployment
Delete Kubernetes management config file
/var/lib/jenkins/workspace/hello-world/kubeconfig-7112538207763465492
ERROR: ERROR: Status code 403, {"error":
{"code":"AuthorizationFailed","message":"The client '7912b768-a178-4996-
b6e6-38912a9b90da' with object id '7912b768-a178-4996-b6e6-38912a9b90da'
does not have authorization to perform action
'Microsoft.ContainerService/managedClusters/accessProfiles
/listCredential/action' over scope '/subscriptions/4e601d44-4d18-4e49-
95001793e668f9e0/resourcegroups/SystemBackend_Resource/
providers/Microsoft.ContainerService/managedClusters/aksa5ru5sgbdaum2/
accessProfiles/clusterAdmin'."}}
Any idea?
the error says it all, the client (credentials) you are using to access the AKS cluster does not have permissions to use the listCredentials action over that cluster. You need to grant that client those permissions. Easiest way grant contributor rights to 7912b768-a178-4996-b6e6-38912a9b90da
to the SystemBackend_Resource
resource group.
New-AzureRmRoleAssignment -ObjectId 7912b768-a178-4996-b6e6-38912a9b90da `
-RoleDefinitionName "Contributor" `
-Scope '/subscriptions/4e601d44-4d18-4e49-95001793e668f9e0/resourcegroups/SystemBackend_Resource/'
you can obviously grant only that permission to that entity using custom roles, but this is just an example