I strongly recommend fo deploy AKS use Service principals account. In future you must use it for:
--Storage account
--AKS Container Registries(ACR)
--External IP mapping
So lets start
- our Variebles:
-
ACR_NAME=ksidopsaks #my Azure Conteiner Registry AKS_CLUSTER=test-aks-cluster RG=dOPS_storage SERVICE_PRINCIPAL_NAME=ksi-rbac-service-principal ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query "id" --output tsv)
-
- Create Service principals account
-
az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME #but we need to know Secret! and I reccomend use this SP_SECRET=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query "password" --output tsv) SP_ID=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv) #And note this data! echo "Service principal ID: $SP_ID" Service principal ID: 0c201615-9868-49f0-abf6-37eb87a720cb echo "Service principal secret: $SP_SECRET" Service principal secret: M-LU16UPh_JhDW--soFE7ueTr9MaaOHnTI
-
- Reset secret
-
SP_SECRET=$(az ad sp credential reset --name $SP_ID --years 20 --query password -o tsv)
-
- Update secret for AKS:
-
az aks update-credentials --resource-group $RG --name $AKS_CLUSTER --reset-service-principal --service-principal $SP_ID --client-secret '$SP_SECRET'
-
- Show SpDI
-
SP_ID=$(az aks show --resource-group $RG --name $AKS_CLUSTER --query servicePrincipalProfile.clientId -o tsv)
echo $SP_ID
-
- Show SP atributes
- SERVICE_PRINCIPAL_NAME=$(az ad sp show --id $SP_ID --query appDisplayName -o tsv) && echo $SERVICE_PRINCIPAL_NAME
- Delete Service principals account
-
az ad sp delete --id $SP_ID
-
- Use SPID for creat AKS:
-
az aks create \ --resource-group $RG \ --name $AKS_CLUSTER \ --service-principal $SP_ID \ --client-secret $SP_SECRET
-