0
votes

I am unable to pass service principal password stored in the vault for az aks create --client-secret parameter

To Reproduce 1.) create a vault

az keyvault create \
    --name ${AZURE_VAULT_NAME} \
    --resource-group ${AZURE_RESOURCE_GROUP} \
    --location ${AZURE_LOCATION} \
    --enabled-for-deployment 'true'

2.) create service principal account using vault

az ad sp create-for-rbac \
    --skip-assignment \
    --name ${AZURE_SERVICE_PRINCIPAL_NAME} \
    --create-cert \
    --cert ${AZURE_VAULT_SERVICE_PRINCIPAL_KEY_NAME} \
    --keyvault ${AZURE_VAULT_NAME}

3.) output to az ad sp create shows as

{
  "appId": "d216c019-cd17-4350-a467-77be6e76c135",
  "displayName": "aksServicePrincipalPOC",
  "name": "http://aksServicePrincipalPOC",
  "password": null,
  "tenant": "06dd2342-6928-44d9-bd0f-bfb06b15a097"
}

Note password is null.

4.) create aks cluster using service principal. There does not appear to be a way to pass the secret or vault name for the az aks create command. I have no value to set --client-secret since it was not returned when creating service principal account.

az aks create \
    --resource-group ${AZURE_RESOURCE_GROUP} \
    --name ${AKS_CLUSTER_NAME} \
    --admin-username ${AKS_NODE_ADMIN_USERNAME} \
    --node-count ${AKS_MIN_NUMBER_OF_NODES} \
    --service-principal ${AZURE_SERVICE_PRINCIPAL} \
    --client-secret ??????????? \
    --ssh-key-value ${AKS_VM_SSH_KEY_FILE_DIR}/${AKS_VM_SSH_KEY_FILE_NAME}.pub \    
    --network-plugin azure \
    --vnet-subnet-id ${AZURE_PRIVATE_SUBNET_ID} \
    --docker-bridge-address ${AZURE_AKS_DOCKER_BRIDGE_ADDRESS} \
    --dns-service-ip ${AZURE_AKS_DNS_SERVICE_IP} \
    --service-cidr ${AZURE_AKS_SERVICE_CIDR}

Expected behavior: There should be an option with az aks create to have it pull the service principal password from the vault maintaining that secret.

1

1 Answers

0
votes

this wont work, as this creates a certificate auth for the service principal, not password auth (hence it not returning any password value).

because you are asking it to create a certificate auth enabled service principal.