Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AKS] Service principal overrides enable-managed-identity #7012

Open
helayoty opened this issue Nov 20, 2023 · 5 comments
Open

[AKS] Service principal overrides enable-managed-identity #7012

helayoty opened this issue Nov 20, 2023 · 5 comments
Labels
AKS Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team.

Comments

@helayoty
Copy link
Contributor

Describe the bug

CLI should prevent --service-principal and --enable-managed-identity from being used together in a single command.

Related command

az aks create

Errors

The current behavior will not return any error, but the service principal will be used, and the managed identity option will be ignored, which is confusing.

Issue script & Debug output

NA

Expected behavior

Expected behavior: "You can't set both service-principal and managed-identity"

Environment Summary

"azure-cli": "2.53.1",
"azure-cli-core": "2.53.1",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"aks-preview": "0.5.168",
"application-insights": "0.1.16",
"azure-devops": "0.26.0",
"front-door": "1.0.17",
"ssh": "2.0.2"
}

Additional context

No response
@helayoty helayoty added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 20, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added AKS Service Attention This issue is responsible by Azure service team. Auto-Assign Auto assign by bot labels Nov 20, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 20, 2023

Thank you for opening this issue, we will look into it.

@matthchr
Copy link
Member

cc @FumingZhang - this might be an easy fix, not sure?

@FumingZhang FumingZhang mentioned this issue Nov 21, 2023
Closed
3 tasks
@FumingZhang
Copy link
Member

Actually, the fix would be a breaking change. In az aks create, the default value of option --enable-managed-identity is True, which means that regardless of whether the user specifies this option, the cluster to be created will use msi, unless the user additionally specifies --service-principal and --client-secret, in this case, the code will backfill the value of --enable-managed-identity to False. From a behavioral point of view, when these three options are specified at the same time, the value of --enable-managed-identity is ignored.

Although setting the default value of an --enable-xxx option to True may seem bizarre, this behavior existed before I started refactoring the cli code about 3 years ago.

Fix in PR #27887. May have to wait until the next breaking change window (MS Build 24, around June) to merge this change.

@FumingZhang FumingZhang mentioned this issue May 7, 2024
Merged
3 tasks
@JoeyC-Dev
Copy link

JoeyC-Dev commented May 17, 2024
edited
Loading

@FumingZhang Thanks for the fix.
But the current description may lead to misleading: The default value is being changed to false but mentioned true here.
image
I understand that the default behavior won't change even default vault is being set to false, but can we have a better description for this parameter? Or users may think "the default AKS may no longer created with system-assigned managed identity since the default value is false".

@FumingZhang
Copy link
Member

Thanks for pointing this out, fixing in #29036, #7661

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
AKS Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@matthchr @helayoty @yonzhan @FumingZhang @JoeyC-Dev