PS cmdlet New-AzAksCluster will trigger SP creation ignoring the -EnableManagedIdentity option
Note: This is my first time posting here so apologies if this isn`t the right platform for these type of questions or if the context is not clear. Any feedback is welcome!
At a high level, I'm struggling to create a public AKS cluster using the PS cmdlet New-AzAksCluster because every time it runs it will attempt to create a Service Principal even if I supply the options -EnableManagedIdentity & -AssignIdentity
My expectation would be that it will use the assigned Managed Identity instead. Reason I`m expecting that is, because a) when I use the az cli to create the same cluster with the same options, it will not create an sp but instead propagate the Az AD roles to the identity it is given:
b) according to the docs it shouldn`t behave like that: https://learn.microsoft.com/en-us/powershell/module/az.aks/new-azakscluster?view=azps-10.4.1 https://learn.microsoft.com/en-us/azure/aks/use-managed-identity
AKS doesn't automatically create a service principal, so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead.
I tested it using the Powershell on my localhost, the one integrated with VSCode as well as the Azure CloudShell (also with different accounts, tenants and subscriptions) and found that it behaves the same. The fact that I'm Owner, GlobalAdmin (or any user role that has sufficient permissions) doesn't seem to matter either. I also tried to delete the 'acsServicePrincipal.json' -file to no avail.
I just wanted to bounce some ideas before I raise a github issue.
The New-AzAKSCluster PowerShell command does not allow you to enable Managed Identity without creating or taking an existing service principal and the fix is still in implementation as per the github merged issue.
As a fix for your issue, I found that calling New-AzAksCluster will always generate a service principal even if we have not provided one. As a result, if you want to create a cluster with managed identity, I recommend making use of the az aks create CLI command.
System managed identity:
az aks create -g <resourcegroup> -n <Clustername> --enable-managed-identity
User managed identity:
az aks create -g xxx -n jahuserCluster --enable-managed-identity --assign-identity <resourceID of user identity>
- How do I write a script to copy an item to the public desktop?
- Get Azure Devops Secret Variable as Plain Text using Powershell
- How do I check if a PowerShell module is installed?
- Install powershell module in closed network
- Getting the # of days difference between two dates in Powershell
- PowerShell Here-String that keeps newlines
- Why are all newlines gone after PowerShell's Get-Content, Regex, and Set-Content?
- Remove-Variable - Cannot find a variable with the name
- Set DNS with PowerShell
- Mutually exclusive powershell parameters
- Unable to resolve key vault values in local environment
- Changing a value in the PATH environment variable
- Powershell run jobs in parallel
- VSCode - Powershell - Network Drives
- Constructor invocation syntax in PowerShell 4.0 and lower without using New-Object
- How to get <tab> value suggestions dynamically, without throwing an error if user provided a value that does not exist?
- Button click is not working using powershell
- Powershell: How do I install the Nuget provider for PowerShell on a unconnected machine so I can install a nuget package from the PS command line?
- PowerShell folder permission error - Some or all identity references could not be translated
- Failure to parse a date with the DateTime.TryParseExact() .NET method
- Why does Add-Content translates the comma separator from .TotalSeconds into a dot separator?
- PowerShell: How plug in filter (condition for exists) in Get-Childitem
- Run Powershell script from URL without temporary file
- How to install a particular .NET Framework version SDK using winget?
- PowerShell 5.1 Why are these 2 functions returning different types
- Network latency monitoring script windows
- Remove-IISConfigCollectionElement causes NullReferenceException
- PS cmdlet New-AzAksCluster will trigger SP creation ignoring the -EnableManagedIdentity option
- How to find string that occurs between 3rd and 4th instances of a character
- How can I update a Powershell gui textbox from another thread?