Search code examples
azureazure-container-service

Create azure container service cluster fails with error insufficient privileges for azure graph

With the Azure CLI version 2.0.20 I am suddenly not able to create ACS clusters anymore.

The resource group testrg has been created with:

az group create -l westus -n testrg

Both az aks and acs fail. Commands used:

az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys

Both fail with error:

Insufficient privileges to complete the operation.
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 630, in _execute_command
    raise client_exception
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 516, in acs_create
    dns_name_prefix, location, name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1372, in _ensure_service_principal
    service_principal = _build_service_principal(client, name, url, client_secret)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 319, in _build_service_principal
    result = create_application(client.applications, name, url, [url], password=client_secret)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 970, in create_application    return client.create(app_create_param)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\graphrbac\operations\applications_operations.py", line 87, in create
    raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Insufficient privileges to complete the operation.

I am able to create other resources with the CLI, for instance a web app with commands: 

az appservice plan create -g testrg-n B1Plan --is-linux
az webapp create --resource-group testrg --name testwebapp -p B1Plan -r "node|8.1"
Solution

  • As Weinong Wang pointed out, I had to supply the AppId of an existing service principal with its client secret because I don't have permissions to create a new service principal for the cluster.

    The commands to create a new cluster and configuring kubectl to connect to it are:

    az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys --service-principal "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --client-secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
az acs kubernetes get-credentials --resource-group=testrg --name=test-nix-stg