Nginx service in AKS cluster managed identity doesn't have permission to read publicIPAddresses

0
votes

I'm creating an AKS cluster through the Azure CLI.

Something like:

az aks create 
    --resource-group RESOURCE-GROUP
    --name "mycluster"
    --enable-managed-identity
    --network-plugin "azure"
    --no-ssh-key
    ...

After creation I get a managed identity mycluster-agentpool. I have added to that identity the "Network Contributor" role to the Resource group where the PublicIP is located. I waited over an hour.

But I still get this error from the nginx service:

network.PublicIPAddressesClient#List: Failure responding to request: StatusCode=403 -- 
Original Error: autorest/azure: Service returned an error. 
Status=403 
Code="AuthorizationFailed" 
Message="The client '00000000-0000-0000-0000-00000000' with object id '00000000-0000-0000-0000-00000000' does not have authorization to perform action 
'Microsoft.Network/publicIPAddresses/read' over scope 
'/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/RESOURCE-GROUP/providers/Microsoft.Network' or the scope is invalid. 
If access was recently granted, please refresh your credentials."

What I find strange is that after creating the cluster and query the "identity":

az aks show -g RESOURCE-GROUP -n mycluster --query "identity"

I get (sample GUIDs):

{
  "principalId": "00000000-1234-1234-1234-00000000",
  "tenantId": "00000000-5678-5678-5678-00000000",
  "type": "SystemAssigned",
  "userAssignedIdentities": null
}

And this principalId doesn't match with the ObjectId of the mycluster-agentpool identity, and I cannot find anywhere to what it belongs, because I suspected the principalId was the identity that needed the rights.

With what identity is the nginx service trying to connect?

1
azureazure-aksazure-virtual-network
Might be the cluster managed identity. You won't see an actual resource for it (because it's system managed), but if you go to AAD tenant and click "Enterprise Applications", you should be able to search by cluster name.mmking
Thanks @mmking, this was exactly it. I might add that the search bar in the Enterprise Application portal is a bit unresponsive. Make sure you select "All Applications" and re-type the name of you cluster or click "Apply". Two identities created for the cluster will show up. The identity named after the cluster's name is the one I had to give "Network Contributor" to the RG holding the public IP. The one with the "-agentpool" suffix was not necessary.carraua
I add another answer to explain the relationship between identity and the Nginx ingress. It should be helpful to you.Charles Xu
Does the new answer solves your problem?Charles Xu

1 Answers

1
votes

According to the researching, I find when you enable the Managed Identity for the AKS, then the properties of the AKS show the servicePrincipalProfile with MSI. And when you want to associate a public IP address in another resource group, then you need to grant the "Network Contributor" role to the Managed Identity of the AKS, you can get the principal Id via CLI as you shown:

az aks show -g RESOURCE-GROUP -n mycluster --query "identity.principalId"

You get more details about the Managed Identity here for the "Network Contributor". It shows that the identity for the control plane manages the networking resources including ingress load balancers and AKS managed public IPs. And above CLI command shows the identity of the control plane to you.

This principal Id is an object Id and you can get the service principal via the CLI like this:

az ad sp show --id principalId