Update:
A colleague who works for Microsoft said:
<hr>Changelog entry for this behaviour change is here: https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#aks-3
I'm following the proper instructions and the documentation must be out of date.
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
Automatically create and use a service principal.
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. In the following Azure CLI example, a service principal is not specified. In this scenario, the Azure CLI creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.
az aks create --name myAKSCluster --resource-group myResourceGroup
This is what happened a few months ago - see Finished service principal creation:
Now when I try I get Add role propagation:
The problem is querying the servicePrincipalProfile.clientId results in msi, I need the guid of the service principal not the Managed Service Identity.
$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
echo $CLIENT_ID
Used to work:
Now its changed:
How do I create the Kubernetes Cluster with a Service Principal as the documentation states and how it used to work?
Repro steps:
For Reference: I got the same and following your link I found that this worked.
az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv
and this returned the appropriate guide, that I could use for my RBAC assignment
# get the clientId of the cluster
$clientId = (az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv)
# get the resourceId of the registry
$acrId=(az acr show -g acr -n myacr --query id -o tsv)
# give authority for cluster id to the acr pull
az role assignment create $clientId --role AcrPull --scope $acrId