Updating service principal profile is not allowed on cluster using managed identity

Question

My AKS cluster is giving the errow below;

It's related with expired service principal. So I followed the instructions here --> https://learn.microsoft.com/en-us/azure/aks/update-credentials#update-aks-cluster-with-service-principal-credentials

I created a new SP with the command below;

az ad sp create-for-rbac --role Contributor --scopes /subscriptions/mySubscriptionID

And after that I'm trying to attach this SP with the AKS and executing the command below;

az aks update-credentials --resource-group myrg --name myaks --reset-service-principal   --service-principal xxx-8xx7-xxx-xx2-xxxxxxxx6 --client-secret "xxxxxxxxsu5Nxxxxxx"

But it gives the error below;

(BadRequest) Updating service principal profile is not allowed on cluster using managed identity.
Code: BadRequest
Message: Updating service principal profile is not allowed on cluster using managed identity.

And the thing is we are not using managed identity. Or not sure how to check if we are using somehow?

Any idea what is the problem?

Answer 1

The error message (BadRequest) Updating service principal profile is not allowed on cluster using managed identity indicates that AKS cluster is using managed identity. You can not update service principal profile on cluster that is using managed Identity and also it is not possible to disable the managed Identity of an AKS cluster, once its provisioned. The managed identity is created by default when you create an AKS cluster and is used to authenticate with other Azure services.

And the thing is we are not using managed identity. Or not sure how to check if we are using somehow?

As per this MS doc, managed identity is created by default when you create an AKS cluster and is used to authenticate with other Azure services. To verify, go to the secondary resource group created by AKS cluster and check for managed identity resource.

Alternatevily, you can also use below command to verify managed identity.

az aks show --resource-group <rg-name> --name <aks-name> --query identity

To create a cluster with service pricipal, refer to this link Use a service principal with AKS | Microsoft

In the first screenshot, the error

It says the cluster is using managed Identity. When using managed identity, you cannot use service principal for the cluster. If you need to update the service principal profile, you will need to create a new AKS cluster with service principal authentication enabled.or problems with the add-ons or extensions running in the cluster.

This can cause due to multiple reasons. Verify all the kubernetes components, there may be issues with the nodes in the cluster or problems with the add-ons or extensions running in the cluster. Check whether all the nodes are in the healthy state and also verify all the workloads of the cluster.