Hello together i try to create an AKS within my CI but i struggle with the required privileges.
I am using a service principal login, crete a resource group and then i try to create an aks.
- az login --service-principal -u ${AZ_PRINC_USER} -p ${AZ_PRINC_PASSWORD} --tenant ${AZ_PRINC_TENANT}
- az group create --name ${AZ_RESOURCE_GROUP} --location ${AZ_RESOURCE_LOCATION}
- az aks create --name ${AZ_AKS_TEST_CLUSTER} --resource-group ${AZ_RESOURCE_GROUP} --node-count ${AZ_AKS_TEST_NODECOUNT} --generate-ssh-keys
However the execution drops an error :
ERROR: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.
Any ideas what privileges are necessary ? It seems there should be a Directory permission... but i am not really able to find and assign it.
you need to grant it permissions to create applications in Azure AD (if you do not pre-create those). you also need to give it permissions to create AKS (Microsoft.ContainerService/managedClusters/write
) and you need to give it permissions to assign roles (Microsoft.Authorization/roleAssignments/write
) if you want to deploy to existing subnet. this would be the bare minimum derived logically, but I never tried it. you might not be able to do this with just these permissions
you would probably also need some Microsoft.Network
permissions