This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 59%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Is there a way to use an AD app (app-id, secret, subscription) to authenticate with the Kubernetes API via HTTPS to get cluster's information without using azure cli? (like nodes, nodes configuration, roles, etc)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 74%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hello Vlad Vantaroo
Welcome to microsoft Q&A,Thankyou for posting your query
yes, you can use an Azure AD app to authenticate with the Kubernetes API via HTTPS to get cluster's information without using Azure CLI.
1.Create an Azure AD App and Assign Required Permissions:
i. Navigate to the Azure portal (https://portal.azure.com).
ii. Go to Azure Active Directory > App registrations > New registration.
iii. Fill in the necessary details (such as Name and Redirect URI).
iv. Once the app is created, note down the Application (client) ID and Directory (tenant) ID.
v. Under "Certificates & secrets," generate a new client secret and note down the value.
vi. Assign the required permissions to the app. For Kubernetes API access, you may need to assign vii. Azure Kubernetes Service Cluster User role or custom role with appropriate permissions.
2.Use the following command to get the access token:
curl -X POST -d 'grant_type=client_credentials&client_id=<app-id>&client_secret=<app-secret>&resource=https://management.azure.com/' https://login.microsoftonline.com/<tenant-id>/oauth2/token
3.Note down the access token received.
4.Authenticate with the Kubernetes API Server:
5.Use the access token obtained in step 2 to authenticate with the Kubernetes API server.
6.Use the following command to get the list of nodes in the cluster:
curl -H "Authorization: Bearer <access-token>" https://<kubernetes-api-server>/api/v1/nodes
Hope this helps you.please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Hi @Anveshreddy Nimmala ! Unfortunately this didn't work. Is throwing me a 401 error with the received access token. Do you know of any other configurations that I might be missing? Or some other issue that I'm not seeing?
Just to add additional context:
Also I tried changing the cluster auth method with Azure AD authentication with kubernetes RBAC and Azure AD authentication with Azure RBAC but neither worked.
Hello Vlad Vantaroo, please find some trouble shooting steps for the same. if you're receiving a 401 error (Unauthorized) when trying to access the Kubernetes API with the obtained access token: 1.Make sure that the access token you received is valid and not expired. Access tokens have a limited lifetime, typically an hour. If the token has expired, you'll need to request a new one. 2.check that the Azure AD App has been granted the necessary permissions to access the Kubernetes API server i.e., Azure AD permissions and Kubernetes RBAC permissions. 3.Confirm that the Azure AD App has the appropriate roles assigned within Kubernetes RBAC. For example, if you're trying to access nodes, ensure that the Azure AD App has the necessary permissions. 4.Examine logs of the Kubernetes API server for any errors or warnings related to token authentication. Look for insights into why the token might be rejected. 5.Check for connectivity problems that might prevent token validation. 6.Confirm that the Azure AD App has appropriate roles assigned within Kubernetes RBAC. 7. Ensure the app has necessary permissions like cluster-admin or specific permissions for node resources. 8.Confirm that the resource specified in the token request matches the expected audience by the Kubernetes API server. It should match the Kubernetes API server's endpoint or use a wildcard if applicable. hope this helps you.
The issue was that the request to get the token was wrong. This is a good example that works:
curl -X POST -d 'grant_type=client_credentials' \
-d 'client_id=<app-id>' \
-d 'client_secret=<app-secret>' \
-d 'scope=<api-server-id>/.default' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
The <api-server-id> can be grabbed from the kubernetes config
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 85%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Will this work for another Oauth flow? I’m looking to do something similar but have an App Registration that a user can sign into and it will return a token for the azure k8s cluster.