stackoom
  简体   繁体   中英

Terraform: Error when creating azure kubernetes service with local_account_disabled=true

 原文  2022-02-17 10:53:21       terraform/ azure-aks

Question

An error occurs when I try to create a AKS with Terraform. The AKS was created but the error still comes at the end, which is ugly.

        │ Error: retrieving Access Profile for Cluster: (Managed Cluster Name 
"aks-1" / Resource Group "pengine-aks-rg"): 
    containerservice.ManagedClustersClient#GetAccessProfile: Failure responding to request:
     StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 
    Code="BadRequest" Message="Getting static credential is not allowed because this cluster 
    is set to disable local accounts."

This is my terraform code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.96.0"
    }
  }
}

resource "azurerm_resource_group" "aks-rg" {
  name     = "aks-rg"
  location = "West Europe"
}

resource "azurerm_kubernetes_cluster" "aks-1" {
  name                = "aks-1"
  location            = azurerm_resource_group.aks-rg.location
  resource_group_name = azurerm_resource_group.aks-rg.name
  dns_prefix          = "aks1"
  local_account_disabled = "true"

  default_node_pool {
    name       = "nodepool1"
    node_count = 3
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  tags = {
    Environment = "Test"
  }
}

Is this a Terraform bug? Can I avoid the error?

1 answers

solution1
 3 ACCPTED  2022-02-17 12:02:00

If you disable local accounts you need to activate AKS-managed Azure Active Directory integration as you have no more local accounts to authenticate against AKS.

This example enables RBAC, Azure AAD & Azure RBAC:

resource "azurerm_kubernetes_cluster" "aks-1" {
  ... 

  role_based_access_control {
    enabled = true

    azure_active_directory {
      managed                = true
      tenant_id              = data.azurerm_client_config.current.tenant_id
      admin_group_object_ids =  ["OBJECT_IDS_OF_ADMIN_GROUPS"]
      azure_rbac_enabled     = true
    }
  }
}

If you dont want AAD integration you need set local_account_disabled = "false" .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Service Bus Error: Ensure RequiresSession is set to true when creating a Queue, with Databricks terraform - Unable to fetch service account from Kubernetes: serviceaccounts "<name of service account>" not found Terraform 403 error when creating function app and storage account with private endpoint Error creating Liquid Map on Azure with Terraform Azure: How do I fix this Error when Creating Service Principle? `Error 403: Insufficient regional quota to satisfy request: resource "SSD_TOTAL_GB"` when creating kubernetes cluster with terraform GCP: Impersonate Service Account with python from local creds. IAM Service Account Credentials API disabled Defining a ClusterRoleBinding for Terraform service account Terraform set azure storage account virtual network Creating Azure Storage account from PowerShell giving error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM