azure-cli: `az aks create --enable-managed-identity --vnet-subnet-id` failing

Describe the bug

When creating an AKS cluster with Managed Identity and by providing a Subnet Id, it will fail with the error message below.

Command Name az aks create

Errors:

'NoneType' object has no attribute 'client_id'
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 215, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 625, in execute
    raise ex
cli/core/commands/__init__.py, ln 689, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
cli/core/commands/__init__.py, ln 682, in _run_job
    six.reraise(*sys.exc_info())
...
cli/core/commands/__init__.py, ln 324, in __call__
    return self.handler(*args, **kwargs)
azure/cli/core/__init__.py, ln 531, in default_command_handler
    return op(**command_args)
cli/command_modules/acs/custom.py, ln 1750, in aks_create
    service_principal_profile.client_id, scope=scope):
AttributeError: 'NoneType' object has no attribute 'client_id'

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Put any pre-requisite steps here…
az aks create -l {} -n {} -g {} --no-ssh-key -k {} -s {} -c {} --enable-managed-identity --vnet-subnet-id {}

Expected Behavior

Environment Summary

Linux-4.19.84-microsoft-standard-x86_64-with-debian-buster-sid
Python 3.6.5
Installer: DEB

azure-cli 2.3.1

Extensions:
azure-firewall 0.3.0

Additional Context

FYI: without the --vnet-subnet-id parameter it’s working fine.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 21 (14 by maintainers)

Most upvoted comments

Yep @jrudley, that’s the point, Managed Identity with AKS is now GA, it should work even if the aks-preview extension is not installed 😉

mathieu-benoit on May 15, 2020

This bug was fixed in https://github.com/Azure/azure-cli/pull/13543 and will be available in next Azure cli release.

norshtein on May 29, 2020

Just to make sure here, the issue is when not using the aks-preview extension. Tested multiple times by multiple people.

The error message comes from this line https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/acs/custom.py#L1772 because few lines before there is this service_principal_profile = None which differs from what the code in the aks-preview extension has: https://github.com/norshtein/azure-cli-extensions/blob/master/src/aks-preview/azext_aks_preview/custom.py#L820.

I actually found out a workaround by using this parameter while running the AKS cluster creation command: --skip-subnet-role-assignment. And then assigned myself the associated/skipped role assignment to the AKS’s Managed Identity (like described in this comment: https://github.com/Azure/azure-cli/issues/12864#issuecomment-618045651).

mathieu-benoit on May 5, 2020

I actually found out a workaround by using this parameter while running the AKS cluster creation command: --skip-subnet-role-assignment. And then assigned myself the associated/skipped role assignment to the AKS’s Managed Identity (like described in this comment: #12864 (comment)).

Thanks @mathieu-benoit , this workaround works perfect and saved my day

juanjojulian on May 19, 2020

Works for me on 2.3.1. The full command line is:

az aks create -k 1.17.3 --enable-managed-identity   --load-balancer-sku Standard --network-plugin kubenet -c 2 -s Standard_B4ms  --nodepool-name base  -g k8s  --network-policy calico -n playground2   --vnet-subnet-id /subscriptions/subID/resourceGroups/k8s/providers/Microsoft.Network/virtualNetworks/aksvnet/subnets/vnet111 --network-policy calico --aks-custom-headers CustomizedUbuntu=aks-ubuntu-1804 --enable-aad

ams0 on Apr 3, 2020