Private AKS - Provisioning -This subnet does not have the necessary role assignment for this cluster and you do not have the necessary permissions to perform the "Microsoft.Authorization/roleAssignments/write" action to add one.

Question

Hi , I am trying to provision an AKS service to use own subnet for a private AKS setup . I have owner right for the subscriptions but I am still getting below error.

• This subnet does not have the necessary role assignment for this cluster and you do not have the necessary permissions to perform the "Microsoft.Authorization/roleAssignments/write" action to add one. Choose another subnet or contact your subscription owner.
• System-assigned managed identity not supported subnet with route table.

I thought owner right for subscription should resolve above issue but it didn't. Is there anything specific setup in subnet that we need to do to resolve above issue?

I am using Azure CNI Overlay option in networking and then 'Bring your own Azure virtual network'

Answer 1

Hello Ranjeet Singh,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Regarding your experience with Private AKS provisioning. When setting up an Azure Kubernetes Service (AKS) cluster with a custom subnet, as you have encounter challenges related to role assignments and subnet configurations. These steps should help you resolve the errors and successfully set up your AKS cluster within a custom subnet.

1. The error suggests that the AKS cluster's managed identity lacks the necessary permissions to access the subnet, even if you have owner rights on the subscription. This happens because the managed identity requires explicit role assignments. To fix this:

You need to assign the Network Contributor role to the managed identity associated with your AKS cluster. This role grants the identity permissions to manage network-related resources, including subnets. Use the following Azure CLI commands to achieve this:

  # Retrieve the managed identity's principal ID
  AKS_MI_PRINCIPAL_ID=$(az aks show --resource-group <ResourceGroupName> --name <AKSClusterName> --query "identity.principalId" -o tsv)
  # Assign the Network Contributor role to the managed identity for the specified subnet
  az role assignment create \
    --assignee $AKS_MI_PRINCIPAL_ID \
    --role "Network Contributor" \
    --scope /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/virtualNetworks/<VNetName>/subnets/<SubnetName>

This ensures that the managed identity has sufficient permissions to operate within the custom subnet.

2. The second issue arises due to an associated route table on the subnet, which conflicts with system-assigned managed identities used by AKS clusters. To address this: If the route table association is not critical for the subnet, you can remove it to resolve the error. This can be done through the Azure portal or programmatically using the Azure CLI:

  az network vnet subnet update \
    --resource-group <ResourceGroupName> \
    --vnet-name <VNetName> \
    --name <SubnetName> \
    --remove routeTable

By removing the route table, the subnet becomes compatible with the AKS cluster’s system-assigned managed identity.

3. Ensure that your networking configuration is optimized for Azure CNI Overlay if you are using it. This involves proper IP range management and alignment of subnet configurations to avoid overlapping or misconfigured addresses.

Refer to the below documentations for more reading and understanding:

• https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/troubleshoot-aks-cluster-creation-issues
• https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest
• https://learn.microsoft.com/en-us/azure/aks/concepts-network

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.