如何找到我的AKS群集的服务主体机密? [英] How can I find the service principal secret of my AKS cluster?
问题描述
好的,所以我搞砸了,我偶然对运行我们的AKS集群的服务主体运行az ad sp reset-credentials
.现在,我们收到类似以下的错误:
Okay, so I messed up, I accidentally ran az ad sp reset-credentials
against the Service Principal that our AKS cluster runs under. And now we are getting errors like:
创建负载均衡器时出错(将重试):为服务测试/admin-api获取LB时出错:azure.BearerAuthorizer#WithAuthorization:无法刷新令牌以请求对
Error creating load balancer (will retry): error getting LB for service test/admin-api: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/****/resourceGroups/MC_****/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID:****\r\nCorrelation ID:**** \r\nTimestamp: 2018-08-23 12:01:33Z","error_codes":[70002,50012],"timestamp":"2018-08-23 12:01:33Z","trace_id":"****","correlation_id":"****"}
和
无法提取图像"****.azurecr.io/****:****":rpc错误:代码=未知desc =来自守护程序的错误响应:获取https://**** .azurecr.io/v2/****/manifests/****:未授权:需要验证
Failed to pull image "****.azurecr.io/****:****": rpc error: code = Unknown desc = Error response from daemon: Get https://****.azurecr.io/v2/****/manifests/****: unauthorized: authentication required
因此,现在我想找到服务主体使用的原始客户端机密,以便可以将其重新添加为服务主体的密钥.除了重新创建整个集群,这是我唯一想到的解决方案.
So now I want to find the original client secret that the Service Principal uses, so that I can re-add that as a key to the Service Principal. That's the only solution I can think of other than recreating the entire cluster.
有什么想法吗?
推荐答案
无论谁遇到此问题,Microsoft都会提供更新的解决方案
Whoever comes over this issue there's an updated solution from Microsoft
他们还提到(不太明显的地方): 默认情况下,创建的AKS群集使用的服务主体的有效期为一年.
They also mention (something that's not obvious) that: By default, AKS clusters are created with a service principal that has a one-year expiration time.
另外, 从Azure CLI 2.0.68开始,不再支持使用用户定义的密码创建服务主体的--password参数,以防止意外使用弱密码. 因此更改服务主体密码的最初解决方案不再起作用.
Also, As of Azure CLI 2.0.68, the --password parameter to create a service principal with a user-defined password is no longer supported to prevent the accidental use of weak passwords. so the initial solution to change the service principal password doesn't work anymore.
这篇关于如何找到我的AKS群集的服务主体机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!