Search code examples
azurekubernetesazure-aksrbac

What authorization is needed to upgrade an AKS cluster?

I am trying to update my Azure Kubernetes Service (AKS) cluster with the following command:

az aks upgrade \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --kubernetes-version KUBERNETES_VERSION

This results in the following response:

(AuthorizationFailed) The client '>email<' with object id '>object id<' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/>id</resourceGroups/>resourcegroup-name</providers/Microsoft.ContainerService/managedClusters/>cluster-name<' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed

When I go to resourcegroup/Access Control(IAM), I find these roles assigned to me when I click on "view my access"

IAM access control roles

These are:

Azure Kubernetes Service Cluster Admin Role
List cluster admin credential action.
--
Azure Kubernetes Service RBAC Cluster Admin
Lets you manage all resources in the cluster.
--
Reader
View all resources, but does not allow you to make any changes.
--
Storage Account Contributor
Lets you manage storage accounts, including accessing storage account keys which prov...

I would expect that having the role "Azure Kubernetes Service RBAC Cluster Admin" that says: "Lets you manage all resources in the cluster." would authorize me to upgrade the cluster to a new version.

I run into the same problem when trying to create a static IP-adress via the Microsoft documentation

Solution

  • Created Kubernetes cluster with 1.24 version when I run the same command got the same error:

    az aks upgrade \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --kubernetes-version KUBERNETES_VERSION

    ![enter image description here](https://i.imgur.com/1xgaXsy.png)

    To resolve this issue, make sure to add Contributor role to the user in subscription level.

    enter image description here

    Now when I run the below command got result successfully:

    az aks upgrade --resource-group <RGName> --name <myAKSCluster> --kubernetes-version 1.25

    enter image description here

    agentPoolProfiles": [
    {
      "availabilityZones": [
        "1",
        "2",
        "3"
      ],
      "count": 1,
      "creationData": null,
      "currentOrchestratorVersion": "1.25.6",
      "enableAutoScaling": true,
      "enableEncryptionAtHost": null,
      "enableFips": false,
      "enableNodePublicIp": false,
      "enableUltraSsd": null,
      "gpuInstanceProfile": null,
      "hostGroupId": null,
      "kubeletConfig": null,
      "kubeletDiskType": "OS",
      "linuxOsConfig": null,

    In portal:

    enter image description here