What Roles does a servicePrincipal need to create AKS from AZ CLI

10/5/2019

Hello together i try to create an AKS within my CI but i struggle with the required privileges.

I am using a service principal login, crete a resource group and then i try to create an aks.

- az login --service-principal -u ${AZ_PRINC_USER} -p ${AZ_PRINC_PASSWORD} --tenant ${AZ_PRINC_TENANT}
- az group create --name ${AZ_RESOURCE_GROUP} --location ${AZ_RESOURCE_LOCATION}
- az aks create --name ${AZ_AKS_TEST_CLUSTER} --resource-group ${AZ_RESOURCE_GROUP} --node-count ${AZ_AKS_TEST_NODECOUNT} --generate-ssh-keys

However the execution drops an error :

ERROR: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.

Any ideas what privileges are necessary ? It seems there should be a Directory permission... but i am not really able to find and assign it.

-- Bliv_Dev
azure
continuous-integration
kubernetes
service-principal

1 Answer

10/5/2019

you need to grant it permissions to create applications in Azure AD (if you do not pre-create those). you also need to give it permissions to create AKS (Microsoft.ContainerService/managedClusters/write) and you need to give it permissions to assign roles (Microsoft.Authorization/roleAssignments/write) if you want to deploy to existing subnet. this would be the bare minimum derived logically, but I never tried it. you might not be able to do this with just these permissions

you would probably also need some Microsoft.Network permissions

-- 4c74356b41
Source: StackOverflow