az aks create fails to obtain SP credentials

[davis-x]

Describe the bug
Failed to create aks cluster using command line az aks create -n my-cluster -g test

Instead the cli fails to pull the service principal credentials

Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'f4b3caa9-defb-4ada-b190-e8422327afbb' was not found in the directory '599a411f-b08b-45fe-8545-623369f42d16'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: bb906908-bf98-46ad-ad5f-6262bd779100\r\nCorrelation ID: b5bb293a-d4be-43be-9a86-180b51515b4b\r\nTimestamp: 2019-06-06 18:45:03Z","error_codes":[700016],"timestamp":"2019-06-06 18:45:03Z","trace_id":"bb906908-bf98-46ad-ad5f-6262bd779100","correlation_id":"b5bb293a-d4be-43be-9a86-180b51515b4b","error_uri":"https://login.microsoftonline.com/error?code=700016"})

To Reproduce
Run az aks create -n my-cluster -g test

Expected behavior
A cluster is created

Environment summary

Linux-4.9.87-linuxkit-aufs-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.66

Additional context
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#automatically-create-and-use-a-service-principal

The documentation clearly states that a principal should be created when one is not passed in.

In this case, a SP is being created, and I can see that after in the App Registrations panel, but yet the command is still failing, leaving me with a SP that appears to be useless

[davis-x]

I've run this command three times, and the first 2 it failed with the above error and the third time it looks like it's working. So .....

[anttipo]

I am witnessing this exact same behaviour. First two attempts failed but simply retrying the same command worked on 3rd attempt. Using Azure Cloud Shell with Bash.

[bitsofinfo]

experiencing a similar issue which previously worked before, now we can't create a cluster bound to another tenant-id anymore. This previously worked.

See: https://github.com/MicrosoftDocs/azure-docs/issues/32883

[jjgriff93]

Also facing a similar error, tried deploying twice today with a two hour window between deployments, no luck.

Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: d25ed14a-ae63-4abe-aad9-80b2557c1c00\r\nCorrelation ID: acb9e202-4c50-4a1c-860c-e4822b0c4f3c\r\nTimestamp: 2019-06-11 13:42:53Z","error_codes":[7000215],"timestamp":"2019-06-11 13:42:53Z","trace_id":"d25ed14a-ae63-4abe-aad9-80b2557c1c00","correlation_id":"acb9e202-4c50-4a1c-860c-e4822b0c4f3c"})

[marchanddesable]

Same thing here, it doesn't work, unable to create a new AKS cluster with the portal or Cli...

[jjgriff93]

@marchanddesable as a temporary workaround I manually created a service principal then passed in the details into the az aks create command, which worked

[GLink]

@jjgriff93, fyi, this workaround did not work in my case, trying more than 3 times also.

[marchanddesable]

I still have the same error if I try to create a AKS cluster in the portal or just by running a command like:
az aks create -n my-cluster -g MyResGroup

BUT...
I can create the AKS cluster with the following steps:

1. create a service principal and get the informations
   az ad sp create-for-rbac --skip-assignment

It will show something like:

{
"appId": "4567876c-47d4-438b-8341-67g1a3d12rae",
"displayName": "azure-cli-2019-06-15-22-24-12",
"name": "http://azure-cli-2019-06-15-22-24-12",
"password": "xzzg445667-efef-78888-769e-d4543567",
"tenant": "fb245196-9867-4a04-rtf-4556ad3ddff6"
}

2. Autoscaler feature, only if you need the feature, aks-preview must be installed:
   az extension add --name aks-preview
   Help: https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

3. create a resource group:
   az group create --name MyResourceGrp --location westeurope

4. create the AKS cluster:

az aks create
--resource-group MyResourceGrp
--name MyClusterName
-s Standard_B2s
--node-count 1
--generate-ssh-keys
--service-principal 4567876c-47d4-438b-8341-67g1a3d12rae
--client-secret xzzg445667-efef-78888-769e-d4543567
--enable-vmss
--enable-cluster-autoscaler
--min-count 1
--max-count 2

[dr0pdb]

Facing the same issue here. The workaround mentioned by @jjgriff93 and @marchanddesable worked for me. Thanks!

[GLink]

Seems there are two issues. This issue: #https://github.com/MicrosoftDocs/azure-docs/issues/32883 which was closed when referenced to here is actually the issue I experience, i.e setting up the aad integration for users in another tenant.

az aks create
....
--aad-client-app-id $aadClientAppId This is the client id not found, but definitely exists --aad-server-app-id $aadServerAppId
--aad-server-app-secret $aadServerAppSecret --aad-tenant-id $env:aadTenantId

If not same cause should be a separate issue.

[bitsofinfo]

experiencing same @GLink worked back in early may, and no more...