无法使用 ARM 模板创建具有托管标识的 Azure AKS 容器服务
Unable to create Azure AKS Container Service with Managed Identity using ARM template
我正在尝试使用 ARM 模板创建具有托管标识的 AKS 容器服务实例。
如果我使用 az CLI 没有问题:
az aks create -g "sa-rg" -n "aks-cluster" --enable-managed-identity
但是我无法使用 ARM 模板获得相同的结果。
让我们考虑以下基本 ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"`": null,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi",
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}
根据 https://github.com/Azure/azure-cli/issues/12219#issuecomment-636143374,要使用托管身份 (MSI) 创建,只需要“身份”对象,而不是“servicePrincipalProfile”。但是,如果我这样做,我会得到以下异常:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The
template deployment is not valid according to the
validation procedure. The tracking id is
'5a6c6444-c74b-4709-888e-bef816d05ca9'. See inner errors for
details.","details":[{"code":"InvalidParameter","message":"Provisioning
of resource(s) for container service aks-cluster in resource group
sa-rg failed. Message: {\n "code": "InvalidParameter",\n
"message": "Required parameter servicePrincipalProfile is missing
(null).",\n "target": "servicePrincipalProfile"\n }. Details:
"}]}}
但是,如果我插入“servicePrincipalProfile”(如上所示),我得到:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The
template deployment is not valid according to the
validation procedure. The tracking id is
'536bca0b-33b8-45f8-8407-edba873d3657'. See inner errors for
details.","details":[{"code":"InvalidParameter","message":"Provisioning
of resource(s) for container service aks-cluster in resource group
sa-rg failed. Message: {\n "code": "InvalidParameter",\n
"message": "The value of parameter servicePrincipalProfile.secret
is invalid. Please see https://aka.ms/aks-naming-rules for more
details.",\n "target": "servicePrincipalProfile.secret"\n }.
Details: "}]}}
我试过了
"servicePrincipalProfile": {
"clientId": "msi"
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": ""
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": "dummy"
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"identity": {
"type": "SystemAssigned"
},
同样的 4 删除了“identity”,但我总是得到 The value of parameter servicePrincipalProfile.secret is invalid
创建容器服务的ARM模板是什么?
servicePrincipalProfile 仅在您在 ARM 模板之外提供服务委托人并且需要将其属性传递到模板中时使用。在我的部署中,我将其设置为一个空对象,尽管它可能会被完全省略,因为 documentation 表示它不是必需的 属性.
"servicePrincipalProfile": {},
"identity": {
"type": "SystemAssigned"
},
虽然我的经验中没有记录,但您也可以省略身份 属性,它将默认为 SystemAssigned。
几件事:
identity 属性 应该在资源的根目录,- 您只需在
servicePrincipalProfile 属性 中指定 clientId: "msi"。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}
我正在使用模板部署 AKS,模板如下所示。
{
"name": "[parameters('Your-aks-name')]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-07-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Basic",
"tier": "Free"
},
"properties": {
"kubernetesVersion": "1.20.7",
"addonProfiles": { ..... },
"enableRBAC": "[parameters('aks_enableRBAC')]",
"dnsPrefix": "[variables('aks-dns-prefix')]",
"agentPoolProfiles": [
{ .... }
],
"servicePrincipalProfile": {
"ClientId": "[parameters('servicePrincipalClientId')]",
"Secret": "[parameters('servicePrincipalClientSecret')]"
},
}
}
因此,正如您在此处看到的,需要 ClientId 和 Secret。
当我 运行 时,出现以下错误。
The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.
于是我就这样解决了
首先树立服务原则。详细给出了here。
az ad sp create-for-rbac --skip-assignment --name vivek-globoticket-askcluster-sp
记下应用程序 ID 和密码。
az ad sp show --id 67def144-ded3-4fe9-a2f1-cdec6689cd2e # use your app id here.
此外,创建后,您可以在 Azure 门户中看到它们,如下所示。
搜索并进入 Azure Active Directory blade。
单击应用程序注册,然后单击所有应用程序或拥有的应用程序。
如果您忘记记下密码,那么您必须删除sp,然后重新创建。
az ad sp delete --id a76ef144-dee3-4fe9-12f1-cdecn689cd2e # use your app id here.
因此,对于模板中的 servicePrincipalProfile,请执行此操作。对于客户端 ID,请使用 AppId,对于机密,请使用密码。
现在尝试创建您的 ak,看看会发生什么。
我正在尝试使用 ARM 模板创建具有托管标识的 AKS 容器服务实例。 如果我使用 az CLI 没有问题:
az aks create -g "sa-rg" -n "aks-cluster" --enable-managed-identity
但是我无法使用 ARM 模板获得相同的结果。
让我们考虑以下基本 ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"`": null,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi",
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}
根据 https://github.com/Azure/azure-cli/issues/12219#issuecomment-636143374,要使用托管身份 (MSI) 创建,只需要“身份”对象,而不是“servicePrincipalProfile”。但是,如果我这样做,我会得到以下异常:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '5a6c6444-c74b-4709-888e-bef816d05ca9'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "Required parameter servicePrincipalProfile is missing (null).",\n "target": "servicePrincipalProfile"\n }. Details: "}]}}
但是,如果我插入“servicePrincipalProfile”(如上所示),我得到:
ERROR: {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment is not valid according to the validation procedure. The tracking id is '536bca0b-33b8-45f8-8407-edba873d3657'. See inner errors for details.","details":[{"code":"InvalidParameter","message":"Provisioning of resource(s) for container service aks-cluster in resource group sa-rg failed. Message: {\n "code": "InvalidParameter",\n "message": "The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.",\n "target": "servicePrincipalProfile.secret"\n }. Details: "}]}}
我试过了
"servicePrincipalProfile": {
"clientId": "msi"
"secret": null
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": ""
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
"secret": "dummy"
},
"identity": {
"type": "SystemAssigned"
},
"servicePrincipalProfile": {
"clientId": "msi"
},
"identity": {
"type": "SystemAssigned"
},
同样的 4 删除了“identity”,但我总是得到 The value of parameter servicePrincipalProfile.secret is invalid
创建容器服务的ARM模板是什么?
servicePrincipalProfile 仅在您在 ARM 模板之外提供服务委托人并且需要将其属性传递到模板中时使用。在我的部署中,我将其设置为一个空对象,尽管它可能会被完全省略,因为 documentation 表示它不是必需的 属性.
"servicePrincipalProfile": {},
"identity": {
"type": "SystemAssigned"
},
虽然我的经验中没有记录,但您也可以省略身份 属性,它将默认为 SystemAssigned。
几件事:
identity属性 应该在资源的根目录,- 您只需在
servicePrincipalProfile属性 中指定clientId: "msi"。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2021-03-01",
"dependsOn": [],
"location": "australiaeast",
"name": "aks-cluster",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"agentPoolProfiles": [
{
"name": "agentpool",
"count": 1,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"mode": "System"
}
],
"dnsPrefix": "aks-cluster-dns",
"servicePrincipalProfile": {
"clientId": "msi"
},
"enableRBAC": true
},
"type": "Microsoft.ContainerService/managedClusters"
}
]
}
我正在使用模板部署 AKS,模板如下所示。
{
"name": "[parameters('Your-aks-name')]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-07-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Basic",
"tier": "Free"
},
"properties": {
"kubernetesVersion": "1.20.7",
"addonProfiles": { ..... },
"enableRBAC": "[parameters('aks_enableRBAC')]",
"dnsPrefix": "[variables('aks-dns-prefix')]",
"agentPoolProfiles": [
{ .... }
],
"servicePrincipalProfile": {
"ClientId": "[parameters('servicePrincipalClientId')]",
"Secret": "[parameters('servicePrincipalClientSecret')]"
},
}
}
因此,正如您在此处看到的,需要 ClientId 和 Secret。
当我 运行 时,出现以下错误。
The value of parameter servicePrincipalProfile.secret is invalid. Please see https://aka.ms/aks-naming-rules for more details.
于是我就这样解决了
首先树立服务原则。详细给出了here。
az ad sp create-for-rbac --skip-assignment --name vivek-globoticket-askcluster-sp
记下应用程序 ID 和密码。
az ad sp show --id 67def144-ded3-4fe9-a2f1-cdec6689cd2e # use your app id here.
此外,创建后,您可以在 Azure 门户中看到它们,如下所示。 搜索并进入 Azure Active Directory blade。 单击应用程序注册,然后单击所有应用程序或拥有的应用程序。
如果您忘记记下密码,那么您必须删除sp,然后重新创建。
az ad sp delete --id a76ef144-dee3-4fe9-12f1-cdecn689cd2e # use your app id here.
因此,对于模板中的 servicePrincipalProfile,请执行此操作。对于客户端 ID,请使用 AppId,对于机密,请使用密码。
现在尝试创建您的 ak,看看会发生什么。