2

I was trying to use AzureDNS to generate a DNS certificate for my domain via cert-bot, I followed https://cert-manager.io/docs/configuration/acme/dns01/azuredns//#managed-identity-using-aad-pod-identity

I added the managed identity, the federation credential and verified that the managed identity has the DNS contributor role for the required DNS zone from the azure portal, the challenge still throws an error saying that the client does not have the required permissions to add a TXT record:

Status=403 Code="AuthorizationFailed" Message="The client '<principal_id>' with object id '<principal_id>' does not have authorization to perform action 'Microsoft.Network/dnsZones/TXT/write' over scope '/subscriptions/<sub_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/dnsZones/<dns_zone>/TXT/_acme-challenge' or the scope is invalid. If access was recently granted, please refresh your credentials.

How can we refresh the credentials ? I have tried re creating the issuer, the challenge etc, by deleting them using kubectl

Edit: Added more details PS: I did assign the required roal and added a federated credential pointing to the service account and namespace used by cert-manager. enter image description here

enter image description here

Amartya Gaur
  • 665
  • 6
  • 21

1 Answers1

1

As the error clearly stated, this issue was caused by the "access issue."
"The client 'principal_id>' with object id 'principal_id>' does not have authorization to perform action 'Microsoft.Network/dnsZones/TXT/write'." We can verify whether a respective role was properly assigned or not on the portal.

Step1: Goto Subscription -> Access Control (IAM) -> RoleAssignments -> Search with id. Step2: See respective role"DNS contributor" was assigned or not. If not please assign and retry once.

enter image description here

refer this via cli. and Authorization Failed tutorials for more details.

How can we refresh the credentials ? Typically, refreshing means we can relog into the Azure portal using the same credentials we used previously on the same CLI.

az login

Please do couple of validations once:

  1. Verify application workloads deployed to the new cluster and interact with it just as you've done with service-principal-based AKS

    az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity

  2. verify the Principal ID of control plane identity

    az identity show --ids

refer this tutorial

Swarna Anipindi
  • 792
  • 2
  • 9
  • So, I know the issue says there is no authorization but I added a federated credential and assigned it the domain roal which has the required permission: – Amartya Gaur Jan 23 '23 at 07:20
  • Also, I cannot do az login because cert-bot controller is supposed to log in and set the records for me, added screenshots in the question regarding the same – Amartya Gaur Jan 23 '23 at 07:24
  • @Amartya Gaur, Updated solution with couple of validations with tutorial. Forgot to keep comment here. Thank You. – Swarna Anipindi Jan 24 '23 at 06:11
  • Hey Swarna, thanks for youe comments, I did the validations you posted above, I am still facing the same issue, I was able to verify that the principal id etc correspond to the correct managed identity, I also updated the cluster to enable managed identity, that did not work either. – Amartya Gaur Jan 24 '23 at 18:02
  • I was using the wrong resource group name in the issuer, thanks – Amartya Gaur Jan 25 '23 at 05:39