如何找到我的 AKS 群集的服务主体机密? [英] How can I find the service principal secret of my AKS cluster?
问题描述
好的,所以我搞砸了,我不小心对运行 AKS 集群的服务主体运行了 az ad sp reset-credentials
.现在我们收到如下错误:
Okay, so I messed up, I accidentally ran az ad sp reset-credentials
against the Service Principal that our AKS cluster runs under. And now we are getting errors like:
创建负载均衡器时出错(将重试):为服务 test/admin-api 获取 LB 时出错:azure.BearerAuthorizer#WithAuthorization:未能刷新令牌以请求 https://management.azure.com/subscriptions/****/resourceGroups/MC_****/providers/Microsoft.Network/loadBalancers?api-版本=2017-09-01:StatusCode=0——原始错误:adal:刷新请求失败.状态码 = '401'.响应正文:{"error":"invalid_client","error_description":"AADSTS70002:验证凭据时出错.AADSTS50012:提供了无效的客户端密码. 跟踪 ID:**** 相关 ID:**** 时间戳:2018-08-23 12:01:33Z","error_codes":[70002,50012],"timestamp":"2018-08-23 12:01:33Z","trace_id":"****","correlation_id":"****"}
Error creating load balancer (will retry): error getting LB for service test/admin-api: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/****/resourceGroups/MC_****/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided. Trace ID:**** Correlation ID:**** Timestamp: 2018-08-23 12:01:33Z","error_codes":[70002,50012],"timestamp":"2018-08-23 12:01:33Z","trace_id":"****","correlation_id":"****"}
和
无法提取图像****.azurecr.io/****:****":rpc 错误:代码 = 未知 desc = 来自守护进程的错误响应:获取 https://****.azurecr.io/v2/****/manifests/****:未经授权:需要身份验证
Failed to pull image "****.azurecr.io/****:****": rpc error: code = Unknown desc = Error response from daemon: Get https://****.azurecr.io/v2/****/manifests/****: unauthorized: authentication required
所以现在我想找到服务主体使用的原始客户端密钥,以便我可以将其重新添加为服务主体的密钥.除了重新创建整个集群之外,这是我能想到的唯一解决方案.
So now I want to find the original client secret that the Service Principal uses, so that I can re-add that as a key to the Service Principal. That's the only solution I can think of other than recreating the entire cluster.
有什么想法吗?
推荐答案
谁遇到了这个问题,微软提供了一个更新的解决方案
Whoever comes over this issue there's an updated solution from Microsoft
他们还提到(一些不明显的):默认情况下,AKS 群集是使用具有一年到期时间的服务主体创建的.
They also mention (something that's not obvious) that: By default, AKS clusters are created with a service principal that has a one-year expiration time.
另外,从 Azure CLI 2.0.68 开始,不再支持使用 --password 参数创建具有用户定义密码的服务主体,以防止意外使用弱密码.因此更改服务主体密码的初始解决方案不再起作用.
Also, As of Azure CLI 2.0.68, the --password parameter to create a service principal with a user-defined password is no longer supported to prevent the accidental use of weak passwords. so the initial solution to change the service principal password doesn't work anymore.
这篇关于如何找到我的 AKS 群集的服务主体机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!