Solvedazure docs RBAC failing on AKS

I walked through the steps here (https://docs.microsoft.com/en-us/azure/aks/aad-integration) and everything works except when I use the logged in credentials (After the step of using admin account to create cluster role binding). After successfully logging in, i get an error "You must be logged in to the server (Unauthorized). In my kube config, I show an access token was retrieved and the token looks correct. Any help would be appreciated


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

35 Answers

✔️Accepted Answer

I found that:

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true

Was enough in my case. Thank you very much

Other Answers:

I was able to fix this issue with Azure AD v2 application by setting the following in the client manifest:

"allowPublicClient": true,
"oauth2AllowIdTokenImplicitFlow": true,
"signInAudience": "AzureADMultipleOrgs",

I have followed the doc https://docs.microsoft.com/en-us/azure/aks/aad-integration,
could able to perform the checks as in doc.

Issue is while to try to interact with my cluster from Ubuntu client it prompts to logon to https://microsoft.com/devicelogin using code and succeeds in web page, but in CLI am seeing the Oauth failure - not sure what is wrong.

Sharing the error info as below, any help is much appreciated !

raja@raja-VirtualBox:~$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BEA87VG84 to authenticate.
E1011 11:53:17.299643 11769 azure.go:126] Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code B7YRLNFZ9 to authenticate.

@dstrebel Thanks for the help everyone. I was able to get goups and users logged in. I missed the Grant Permission button after added required permissions to my application.