weird authorization error when authenticating via service principal

Question

weird authorization error when authenticating via service principal

DavidHe1127 opened this issue 7 months ago · comments

I was following this guide to authenticate against my cluster via service principal. So what I did was:

Firstly register an app in EntraID
Grant the app some permissions via RBAC

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ado-svc-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services", "deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ado-svc-role-binding
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <app_object_id>
roleRef:
  kind: ClusterRole
  name: ado-svc-role
  apiGroup: rbac.authorization.k8s.io

Auth and verification

export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<app-client-id>
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<app-secret-id>

az login --service-principal -u <app-client-id> -p <app-client-secret> --tenant <tenant-id>

az aks get-credentials --subscription <subscription-id> --resource-group <resource-group-name> --name <cluster-name> --file ./custom-kubeconfig

export KUBECONFIG=$(pwd)/custom-kubeconfig

kubelogin --kubeconfig "${KUBECONFIG}" convert-kubeconfig -l spn --client-id ${AAD_SERVICE_PRINCIPAL_CLIENT_ID} --client-secret ${AAD_SERVICE_PRINCIPAL_CLIENT_SECRET} \
    --tenant-id <tenant-id>

kubectl get nodes

Expected Result

Command returns nodes information.

Actual Result

kubectl get nodes command returns error below:

Error from server (Forbidden): nodes is forbidden: User "xxxx" cannot list resource "nodes" in API group "" at the cluster scope

Comments

The user xxxx cannot be linked to the app I've used to login in any way - the uuid of the user (masked by xxxx) is unknown to me.

Weinong Wang · Answer 1 · Fri Jan 26 2024 07:08:30 GMT+0800 (China Standard Time)

the uuid of the user, masked by xxx, is the object ID of the service principal.
you can verify that by az ad sp show --id xxxx

David He · Answer 2 · Fri Jan 26 2024 18:58:08 GMT+0800 (China Standard Time)

@weinong Thanks for getting back. That command returns a different object id than that of my app on EntraID. Any idea why?

However, it still throws the same error even after I set the name of subject to the one returned from cli. Not sure if I've done anything wrong?

David He · Answer 3 · Fri Jan 26 2024 19:01:26 GMT+0800 (China Standard Time)

David He commented 7 months ago

Weinong Wang · Answer 4 · Sat Jan 27 2024 09:54:47 GMT+0800 (China Standard Time)

first of all, your cluster role doesn't have permission to list nodes. this is the reason you got Forbidden.

in your cluster role binding, <app_object_id> should match the object ID on the portal.

David He · Answer 5 · Sat Jan 27 2024 13:48:16 GMT+0800 (China Standard Time)

@weinong sorry a copy & paste mistake - I'd have used kubectl get pods -n main --kubeconfig ${KUBECONFIG}. However, this command gives me the exact same auth error.

I can also confirm the role points to the object_id of my service principal even though it's different than the one shown in the error message.

David He · Answer 6 · Thu Feb 01 2024 16:02:13 GMT+0800 (China Standard Time)

Close it as I've mistaken application object id for service principal object id. They are fundamentally different.