az aks create - it used to create Service Principal now Managed Service Identity

2/11/2021

Update:
A colleague who works for Microsoft said:

Changelog entry for this behaviour change is here: https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#aks-3

<hr>

I'm following the proper instructions and the documentation must be out of date.

https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal

Automatically create and use a service principal.
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal. In the following Azure CLI example, a service principal is not specified. In this scenario, the Azure CLI creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.

az aks create --name myAKSCluster --resource-group myResourceGroup

This is what happened a few months ago - see Finished service principal creation:

enter image description here

Now when I try I get Add role propagation:

enter image description here

The problem is querying the servicePrincipalProfile.clientId results in msi, I need the guid of the service principal not the Managed Service Identity.

$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
echo $CLIENT_ID

Used to work:

enter image description here

Now its changed:

enter image description here

How do I create the Kubernetes Cluster with a Service Principal as the documentation states and how it used to work?

Repro steps:

https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/80-Kubernetes.md

https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/85-Kubernetes-Deployment.md

-- Jeremy Thompson
azure
kubernetes
service-principal

1 Answer

9/8/2021

For Reference: I got the same and following your link I found that this worked.

az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv

enter image description here

and this returned the appropriate guide, that I could use for my RBAC assignment

# get the clientId of the cluster
$clientId = (az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv)

# get the resourceId of the registry
$acrId=(az acr show -g acr -n myacr --query id -o tsv)


# give authority for cluster id to the acr pull
az role assignment create $clientId --role AcrPull --scope $acrId
-- Preet Sangha
Source: StackOverflow