AKS Authorization Failure when creating LoadBalancer Service using account with Owner Role

0
votes

I am trying to create a Loadbalancer service linked to an existing PublicIP on kubectl. Although I am an owner of the resourceGroup (of both publicIP and k8s cluster), the service creation hangs with the following error in kubectl describe:

Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '[CLIENT_ID]' with object id '[OBJECT_ID]' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/[SUBSCRIPTION]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

I have tried assigning Owner role on my kubectl client, but the issue persists.

az role assignment create 
    --role Owner 
    --assignee xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AKS 1.18.14

1
azurekubernetesazure-akskubernetes-service

1 Answers

1
votes

The following guide answered my question: https://docs.microsoft.com/en-us/azure/aks/static-ip#create-a-service-using-the-static-ip-address

Turns out, owner permission is somehow not enough. After adding the following permissions, I am able to create a service that links to an existing load balancer:

az role assignment create \
    --assignee <SP Client ID> \
    --role "Network Contributor" \
    --scope /subscriptions/<subscription id>/resourceGroups/<resource group name>