azure-cli: AKS arm template deployment failling with "Required parameter servicePrincipalProfile is missing (null)" when no servicePrincipalProfile is provided

Describe the bug

When deploying an AKS cluster using ARM templates, if no servicePrincipalProfile is specified a validation exception happens preventing the deployment. According to the documentation, the “servicePrincipalProfile” is an optional field.

This is either an ARM bug or a documentation bug.

Command Name az group deployment create

Errors:

Azure Error: InvalidTemplateDeployment
Message: The template deployment 'aks' is not valid according to the validation procedure. The tracking id is 'a7dd8808-1302-4c87-a531-6d27b54cdb7e'. See inner errors for details.
Exception Details:
        Error Code: InvalidParameter
        Message: Provisioning of resource(s) for container service tahoma-dev-dalbe1-aks in resource group tahoma-dev-dalbe1-rg failed. Message: {
  "code": "InvalidParameter",
  "message": "Required parameter servicePrincipalProfile is missing (null).",
  "target": "servicePrincipalProfile"
 }. Details:

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Put any pre-requisite steps here…
az group deployment create --resource-group {} --template-file {} --parameters {} --parameters {}

Expected Behavior

According to the documentation deploying a template without this value should succeed.

Environment Summary

Linux-4.4.0-18362-Microsoft-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.81

Additional Context

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 15 (4 by maintainers)

Most upvoted comments

[cc: @KaiWalter, @Diastro]

Please see the template below to deploy with MSI:

"resources": [
        {
            "apiVersion": "2020-03-01",
            "dependsOn": [],
            "type": "Microsoft.ContainerService/managedClusters",
            "location": "[parameters('location')]",
            "name": "[parameters('resourceName')]",
            "properties": {
                "kubernetesVersion": "[parameters('kubernetesVersion')]",
                "enableRBAC": "[parameters('enableRBAC')]",
                "dnsPrefix": "[parameters('dnsPrefix')]",
                "agentPoolProfiles": [
                    {
                        "name": "agentpool",
                        "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
                        "count": 3,
                        "vmSize": "Standard_DS2_v2",
                        "osType": "Linux",
                        "storageProfile": "ManagedDisks",
                        "type": "VirtualMachineScaleSets",
                        "mode": "System"
                    }
                ],
                "networkProfile": {
                    "loadBalancerSku": "standard",
                    "networkPlugin": "[parameters('networkPlugin')]"
                },
                "apiServerAccessProfile": {
                    "enablePrivateCluster": "[parameters('enablePrivateCluster')]"
                },
                "addonProfiles": {
                    "httpApplicationRouting": {
                        "enabled": "[parameters('enableHttpApplicationRouting')]"
                    },
                    "omsagent": {
                        "enabled": "[parameters('enableOmsAgent')]",
                        "config": {
                            "logAnalyticsWorkspaceResourceID": "[parameters('omsWorkspaceId')]"
                        }
                    }
                }
            },
            "tags": {},
            "identity": {
                "type": "SystemAssigned"
            }
        }

For MSI, you need to use the identity tag. I was able to get help from the AKS team internally for this. They also suggested exporting the ARM template from Portal before deploying for these properties.

This might be a common usecase, would be great if it got documented.

naman1901 on Apr 27, 2020

It’s not a required parameter according the https://github.com/Azure/azure-rest-api-specs/blob/master/specification/containerservice/resource-manager/Microsoft.ContainerService/stable/2020-01-01/managedClusters.json If you use az aks create, servicePrincipalProfile will be assembled in request body, no matter you specify it or not. Add service attention to consult AKS people.

qwordy on Feb 27, 2020