Currently battling a permissions issue when trying to assign a managed identity as part of an install/config of external-dns using pod identity.
Worked through the instructions to assign the DNS private zone contributor role to the user assigned managed identity. This is the MI that the external-dns pods are going to use to talk to the DNS setup in azure and make the changes.
Only slight caveat I have is that the AKS cluster and private DNS zone are in different resource groups but don't think this is an issue.
Tried to run the following service principal with full access that we use to make deployments to the resource group but still encountered the following error:
az aks pod-identity add --resource-group my-resource-group --cluster-name my-aks-cluster --namespace "external-dns"
--name "external-dns" --identity-resource-id ${IDENTITY_RESOURCE_ID of my managed identity user}
The command requires the extension aks-preview. Do you want to install it now? The command will continue to run after the extension is installed. (Y/n): y
Run 'az config set extension.use_dynamic_install=yes_without_prompt' to allow installing extensions without prompt.
The installed extension 'aks-preview' is in preview.
Waiting for AAD role to propagate[################################ ] 90.0000%Could not grant Managed Identity Operator permission for cluster
Anyone any ideas or pointers?
Double checked and the SPN I am running the commands as has the Machine Identity Operator(along with MI Contributor) permissions against the MI i want to use.
Still running into the 'could not grant Managed Identity Operator permission for cluster' error
