azure-cli: Getting "permission denied" during az aks get-credentials

We have released the new update. It has version number 2.0.21. Get the new MSI at https://aka.ms/InstallAzureCliWindows.

We are releasing early next week.

+1 here on Windows too.

As a workaround, I used the command below to write the YAML to my kubectl config. Careful not to overwrite your existing configuration!

az aks get-credentials -g my-aks -n aks -f - > .kube\config

This is definitely a problematic issue. As a workaround, to access the dashboard:

kubectl port-forward kubernetes-dashboard-3427906134-xlrcg 9090 --namespace kube-system

(you might need to change the Pod name; get it using kubectl get all --namespace kube-system)

Then open http://localhost:9090/

+1 I get the same error running:

az aks get-credentials --name AksKubernetes --resource-group AksKubernetesResourceGroup

from a command-prompt ran as an administrator.

Note:

I created an ACS\K8s cluster with az acs a few days ago and

az acs get-credentials --name AcsKubernetes --resource-group AcsKubernetesResourceGroup

worked as expected. I’m blocked.

Shell: Command-Prompt (run as administrator) Azure CLI installed via MSI az --version 2.0.20

Same here (works fine in WSL/Ubuntu, error only manifests itself with the Windows version of the CLI). I have full access to the Temp dir. I deactivated “Controlled Folder Access” to no avail.

C:\Users\rafb> az aks get-credentials --resource-group myK8Group --name myCluster
[Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
    result = expanded_arg.func(params)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
    return self.handler(*args, **kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
    reraise(*sys.exc_info())
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
    raise value
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1288, in aks_get_credentials
    merge_kubernetes_configurations(path, additional_file.name)
  File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 829, in merge_kubernetes_configurations
    with open(addition_file) as stream:
PermissionError: [Errno 13] Permission denied: 'C:\\Users\\rafb\\AppData\\Local\\Temp\\tmpn4goit44'

PS C:\Users\rafb> az --version
azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\rafb\.azure\cliextensions'

Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

The following workaround worked for me: Use ‘-f=-’ to redirect to STDOUT, then redirect output to a file using ‘>kube.config’

Example: az aks get-credentials -g=resourcegroupname -n=clustername -f=- >kube.config

Here is the workaround on windows if you don’t have any clusters configured yet:

$path = "$env:USERPROFILE\.kube\config"
az aks get-credentials --resource-group=CloudServices --name=CloudServicesKubernetesCluster --file - > $path
(Get-Content $path -Raw).Replace("`r`n","`n") | Set-Content $path -Force

Please note that it will replace existing kubectl configuration

Workaround for anybody having the same issue.

1. Go to Azure Bash cloudshell and execute your command az aks get-credentials -g Kubernetes-RG -n Kubernetes-Cluster
2. Copy resulting config file to cloud drive cp .kube/config /usr/<your username>/clouddrive/config
3. Go in Azure portal to your cloudshell storage account and go to Files and find your file share, download it and save it as .kube\config

With this steps it works for me on Windows desktop. browse still broken though.

I managed to run the command under sudo in WSL and then copy the ~/.kube/config out to my Windows filesystem e.g. c:\Users\foo\.kube\config to get the kubectl working in PowerShell.

However az aks broswe still fails with permissions problems, and I can’t get the Kubernetes dashboard working in AKS via any other means.

This is a big blocker, given that AKS is high profile new service I expect a lot of people will be hitting this. These commands are literally in the Azure docs quick start guide for AKS