azure
azure copied to clipboard
ansible-collections
Using the deprecated accessProfiles API instead of the listClusterUserCredential API causes `azure_rm_aks` to fail where `az aks get-credentials` succeeds
SUMMARY
I've been given access to a cluster where the azure_rm_aks task in my playbook fails with an exception (see below), while az aks get-credentials works just fine.
This is because the Get Access Profile API used by the azure_rm_aks module is deprecated in favour of the List Cluster User Credentials, which is what az uses, and apparently authorizations on the cluster have been set up to grant me access to one API but not the other.
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure_rm_aks
ANSIBLE VERSION
ansible [core 2.14.3]
config file = /home/em/c/co/bosch/git-apertispro/infrastructure/ansible-playbooks/ansible.cfg
configured module search path = ['/home/em/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/em/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list azure.azcollection
# /usr/share/ansible/collections/ansible_collections
Collection Version
------------------ -------
azure.azcollection 1.19.0
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
------------------ -------
azure.azcollection 1.14.0
CONFIGURATION
ansible-config dump --only-changed
CALLBACKS_ENABLED(/home/user/ansible-playbooks/ansible.cfg) = ['ansible.posix.profile_tasks']
COLOR_DEBUG(/home/user/ansible-playbooks/ansible.cfg) = blue
CONFIG_FILE() = /home/user/ansible-playbooks/ansible.cfg
DEFAULT_HOST_LIST(/home/user/ansible-playbooks/ansible.cfg) = ['/home/user/ansible-playbooks/inventories/staging']
DEFAULT_STDOUT_CALLBACK(/home/user/ansible-playbooks/ansible.cfg) = yaml
OS / ENVIRONMENT
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
STEPS TO REPRODUCE
I am not sure how roles can be granted to give access to one API but not the other, but here we go. Then ansible-playbook --check playbook.yaml with a no-changes azure_rm_aks task is enough to trigger the exception.
EXPECTED RESULTS
If az aks get-credentials works then azure_rm_aks should also work.
ACTUAL RESULTS
Here's the (sanitized) exception:
The full traceback is:
Traceback (most recent call last):
File "/home/user/.ansible/tmp/ansible-tmp-1709511094.8353264-6710-223539408301042/AnsiballZ_azure_rm_aks.py", line 107, in <module>
_ansiballz_main()
File "/home/user/.ansible/tmp/ansible-tmp-1709511094.8353264-6710-223539408301042/AnsiballZ_azure_rm_aks.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/user/.ansible/tmp/ansible-tmp-1709511094.8353264-6710-223539408301042/AnsiballZ_azure_rm_aks.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_aks', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_aks', _modlib_path=modlib_path),
File "<frozen runpy>", line 226, in run_module
File "<frozen runpy>", line 98, in _run_module_code
File "<frozen runpy>", line 88, in _run_code
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 1239, in <module>
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 1235, in main
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 807, in __init__
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 452, in __init__
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 827, in exec_module
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 1149, in get_aks
File "/tmp/ansible_azure_rm_aks_payload_t93a4swj/ansible_azure_rm_aks_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_aks.py", line 1172, in get_aks_kubeconfig
File "/usr/local/lib/python3.11/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/azure/mgmt/containerservice/v2022_02_01/operations/_managed_clusters_operations.py", line 1159, in get_access_profile
raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client '[email protected]' with object id '$OID' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action' over scope '/subscriptions/$SUBSCRIPTION/resourceGroups/$RG/providers/Microsoft.ContainerService/managedClusters/$CLUSTER/accessProfiles/clusterUser' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '[email protected]' with object id '$OID' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action' over scope '/subscriptions/$SUBSCRIPTION/resourceGroups/$RG/providers/Microsoft.ContainerService/managedClusters/$CLUSTER/accessProfiles/clusterUser' or the scope is invalid. If access was recently granted, please refresh your credentials.
@em- Judging from your error, there is a problem with your authorization. Can you check that the credentials you are using have permission to access the resources you want to manage? Thank you!
Judging from your error, there is a problem with your authorization. Can you check that the credentials you are using have permission to access the resources you want to manage? Thank you!
Oh, sure, definitely some permission issue that I will try to get solved separately. Still, it would be great if the ansible module would switch to the recommended API used by az since most people will test permissions with that.
Note that what I am trying to do here is not getting the credentials myself. I am trying to use the azure_rm_aks module to configure other aspects of the cluster, but for some reason it tries to retrieve them internally with the old API and due to some (mis)configuration outside of my control it does not work, while the new API works correctly.
As I said in my previous comment #1484 is totally unrelated to my request.
I am not interested in the ask credentials, the azure_rm_akscredentials_info is not currently useful for me.
I only l want to use the azure_rm_aks module and for some reason that module internally requests the aks credentials using a deprecated API that, for reasons that are beyond my control, does not work for me, while the non-deprecated API to retrieve the credentials works just fine.
@em- I'm very sorry to reply your question so late. Could you please describe your problem in detail? It's help ot solve the problems encountered, thank you!
Sure. The issue description should already contain all the details, but let me recap:
- I want to use the
azure_rm_aksmodule - I get the exception I reported in its entirety in the issue description about lacking permissions for the
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/actionaction - I can't change the permissions on the cluster (it is managed by another team)
- As a test, I noticed that
az aks get-credentialsactually works az aks get-credentialsand theazure_rm_aksmodule use different APIs, that's why one works and the other does not- The team that provisioned the cluster tested permissions with
azand did not test with Ansible - The
azure_rm_aksmodule uses the Get Access Profile API which is deprecated az aks get-credentialsuses the List Cluster User Credentials API
Can you please remove usage of the deprecated Get Access Profile API from the azure_rm_aks module by replacing it with the List Cluster User Credentials API?
While this an issue for me only because I am on a quite special setup, moving away from a deprecated API would seem to be generally good thing for every user.
Sure. The issue description should already contain all the details, but let me recap:
- I want to use the
azure_rm_aksmodule- I get the exception I reported in its entirety in the issue description about lacking permissions for the
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/actionaction- I can't change the permissions on the cluster (it is managed by another team)
- As a test, I noticed that
az aks get-credentialsactually worksaz aks get-credentialsand theazure_rm_aksmodule use different APIs, that's why one works and the other does not- The team that provisioned the cluster tested permissions with
azand did not test with Ansible- The
azure_rm_aksmodule uses the Get Access Profile API which is deprecatedaz aks get-credentialsuses the List Cluster User Credentials APICan you please remove usage of the deprecated Get Access Profile API from the
azure_rm_aksmodule by replacing it with the List Cluster User Credentials API?While this an issue for me only because I am on a quite special setup, moving away from a deprecated API would seem to be generally good thing for every user.
Can you try it(#1513) on? Does this meet your needs? Thank you!
Can you try it(https://github.com/ansible-collections/azure/pull/1513) on? Does this meet your needs? Thank you!
Works perfectly, thank you!