Issue: AKS RBAC works on UPN but not on Object ID

Took me a while to figure out why RBAC worked in my own subscription, but not at my customer. When configuring RBAC on AKS using the following document; https://docs.microsoft.com/nl-nl/azure/aks/azure-ad-integration using an Object ID for a User does not work when using AAD, object IDs (for now) only work when using guest accounts, LiveID’s, onmicrosoft.com or when using another tenant – use the FQDN instead. Hopefully Microsoft will update their documentation soon.

apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: aks-cluster-admins
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
 apiGroup: rbac.authorization.k8s.io
 kind: User
 name: "xxxxx-xxx-xxxx-xxxx-xxxxxxxxx"

Leave a Reply

Your email address will not be published.

Scroll Up