I am trying to create an instance of AKS Container Service with managed identity using an ARM template. No problems if I use the az CLI:
az aks create -g "sa-rg" -n "aks-cluster" --enable-managed-identity
However I cannot obtain the same result using an ARM template.
Let's consider the following base ARM template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"`": null,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi",
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}
According to https://github.com/Azure/azure-cli/issues/12219#issuecomment-636143374, to create with managed identity (MSI), only the "identity" object should be needed, not "servicePrincipalProfile". But, if I do so, I get the following exception:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '5a6c6444-c74b-4709-888e-bef816d05ca9'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "Required parameter servicePrincipalProfile is missing (null).",\n "target": "servicePrincipalProfile"\n }. Details: "}]}}
However, if I insert "servicePrincipalProfile" (as shown above), I get:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '536bca0b-33b8-45f8-8407-edba873d3657'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.",\n "target": "servicePrincipalProfile.secret"\n }. Details: "}]}}
I have tried
"servicePrincipalProfile": {
"clientId": "msi"
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": ""
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": "dummy"
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"identity": {
"type": "SystemAssigned"
},
and again the same 4 removing "identity", but I always get the The value of parameter servicePrincipalProfile.secret is invalid
What is the right ARM template to create the Container Service?
Few things:
identity property should be at the root of the resource,clientId: "msi" in the servicePrincipalProfile property.{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}