AKS创建的服务主体密码到期 [英] AKS Created Service Principal Password Expiry

问题描述

我使用创建Kubernetes群集"功能在Azure门户中创建了AKS群集，并允许它创建新的服务主体.
我开始怀疑该校长使用的凭证的有效期限.为了避免K8与证书到期时与Azure进行交谈的问题，我开始查看已创建的帐户.

如果我跑步，我会看到什么:

  az广告应用节目--id< app ID> 

...是除密码有效期之外的帐户清单.我不需要密码本身，只要密码过期即可.

passwordCredentials ，但是，它是一个空数组.

我希望找到的是 startDate 和 endDate 属性，就像我为自己创建的帐户所做的一样.

此处描述的PasswordCredential类:

此外，在部署AKS群集时，密码将永不过期.但请放心，您可以在设置中创建应用程序注册"的密钥，并为其指定有效时间.还可以重置时间和密钥密码.

但是，使用CLI命令带有Azure AD的Azure Kubernetes服务(AKS).希望对您有帮助.

I created my AKS cluster in the Azure portal using the 'Create Kubernetes cluster' functionality and allowed it to create a new Service Principal.
I started to wonder about expiry of the credentials this principal uses. Hoping to avoid an issue with K8s talking to Azure on credential expiry, I started looking at the account which had been created.

What I'm seeing if I run:

az ad app show --id <app Id>

... is the account manifest apart from the password expiry. I don't need to see the password itself, just when it expires.

passwordCredentials, however, is an empty array.

What I was expecting to find was startDate and endDate properties like I do for accounts I create myself.

The PasswordCredential class described here:

https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.graph.rbac.fluent.models.passwordcredential?view=azure-dotnet

Is the AKS Cluster creation process doing something different when it creates its service principal credentials which means they don't expire? Am I just not allowed to see the detail? Is there something fundamental that I've misunderstood?

解决方案

First of all, I need to make an explanation about the passwordCredentials that you reference. It a property about the App Registration key. When you create the AKS cluster there no key created, so the passwordCredentials shows empty. If you create a key in App Registration, it will show like this:

In addition, when you deploy an AKS cluster the password will be never expired. But don't worry, you can create the key for App Registration in the setting and give an expiry time to it. Also can reset the time and the key password.

But you should take care when you reset the password using the CLI command az ad sp credential reset. This command will overwrite all the keys, not the just reset the expiry time and password. It means that create a new key for you and delete all the keys created before, or just create a new key with the parameter --append.

You can take a look at the document Azure Kubernetes Service (AKS) with Azure AD. Hope this will help you.

这篇关于AKS创建的服务主体密码到期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！