Undocumented access requirements

[anderius]

I have created a service principal, and added it to a group that is administrators in the AKS cluster (using AAD RBAC).

Still, it requires some additional access to log in:

Error: ***"error":***"code":"AuthorizationFailed","message":"The client 'XXXX' with object id 'XXXXXX' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action' over scope '/subscriptions/XXXXX/resourceGroups/XXXX/providers/Microsoft.ContainerService/managedClusters/XXXX/accessProfiles/clusterAdmin' or the scope is invalid. If access was recently granted, please refresh your credentials."***

It would be nice if the required access was documented, or maybe I am doing something wrong here?

The required action listCredential, I am not sure about that. :-)

[anderius]

Hmm.. It only happens the second time I use the action in the same job. For different clusters. I think I should investigate more, and will close for now.

[Waidmann]

Hi @anderius I'm facing this issue now and was wondering if you ever got to the bottom of this?

[anderius]

@Waidmann I am afraid it is too long ago for me to remember, and I am not working with the project where the issue was anymore. Sorry I could not be of any help!

[Waidmann]

Thanks anyways :) I will update once I find a workaround/fix!