Unable to create Azure AKS Container Service with Managed Identity using ARM template

0
votes

I am trying to create an instance of AKS Container Service with managed identity using an ARM template. No problems if I use the az CLI:

az aks create -g "sa-rg" -n "aks-cluster" --enable-managed-identity

However I cannot obtain the same result using an ARM template.

Let's consider the following base ARM template

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "outputs": {},
  "parameters": {},
  "resources": [
    {
      "apiVersion": "2021-03-01",
      "dependsOn": [],
      "location": "australiaeast",
      "name": "aks-cluster",
      "properties": {
        "agentPoolProfiles": [
          {
            "name": "agentpool",
            "count": 1,
            "vmSize": "Standard_DS2_v2",
            "osType": "Linux",
            "osDiskSizeGB": 128,
            "`": null,
            "osDiskType": "Managed",
            "maxPods": 110,
            "type": "VirtualMachineScaleSets",
            "mode": "System"
          }
        ],
        "dnsPrefix": "aks-cluster-dns",
        "servicePrincipalProfile": {
          "clientId": "msi",
          "secret": null
        },
        "identity": {
          "type": "SystemAssigned"
        },
        "enableRBAC": true
      },
      "type": "Microsoft.ContainerService/managedClusters"
    }
  ]
}

According to https://github.com/Azure/azure-cli/issues/12219#issuecomment-636143374, to create with managed identity (MSI), only the "identity" object should be needed, not "servicePrincipalProfile". But, if I do so, I get the following exception:

ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '5a6c6444-c74b-4709-888e-bef816d05ca9'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "Required parameter servicePrincipalProfile is missing (null).",\n "target": "servicePrincipalProfile"\n }. Details: "}]}}

However, if I insert "servicePrincipalProfile" (as shown above), I get:

ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '536bca0b-33b8-45f8-8407-edba873d3657'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.",\n "target": "servicePrincipalProfile.secret"\n }. Details: "}]}}

I have tried

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": null
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": ""
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
          "secret": "dummy"
        },
        "identity": {
          "type": "SystemAssigned"
        },

        "servicePrincipalProfile": {
          "clientId": "msi"
        },
        "identity": {
          "type": "SystemAssigned"
        },

and again the same 4 removing "identity", but I always get the The value of parameter servicePrincipalProfile.secret is invalid

What is the right ARM template to create the Container Service?

2
azureazure-aksarm-templateazure-managed-identity

2 Answers

1
votes

Few things:

  • The identity property should be at the root of the resource,
  • You only need to specify clientId: "msi" in the servicePrincipalProfile property.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "outputs": {},
  "parameters": {},
  "resources": [
    {
      "apiVersion": "2021-03-01",
      "dependsOn": [],
      "location": "australiaeast",
      "name": "aks-cluster",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "agentPoolProfiles": [
          {
            "name": "agentpool",
            "count": 1,
            "vmSize": "Standard_DS2_v2",
            "osType": "Linux",
            "osDiskSizeGB": 128,
            "osDiskType": "Managed",
            "maxPods": 110,
            "type": "VirtualMachineScaleSets",
            "mode": "System"
          }
        ],
        "dnsPrefix": "aks-cluster-dns",
        "servicePrincipalProfile": {
          "clientId": "msi"
        },
        "enableRBAC": true
      },
      "type": "Microsoft.ContainerService/managedClusters"
    }
  ]
}
0
votes

The servicePrincipalProfile is only used when you are provisioning a Service Principal outside of the ARM template and need to pass it's properties into the template. In my deployments I've set this to an empty object though it could potentially be omitted entirely as the documentation says it's not a required property.

        "servicePrincipalProfile": {},
        "identity": {
          "type": "SystemAssigned"
        },

Though it's not documented in my experience you can also omit the identity property and it will default to SystemAssigned.