Problem
When a node pool is added, in an instance of AKS, the VMSS created comes with the managed identity disabled, this behavior makes it necessary to execute several other commands to discover the VMSS identifier, enable the managed identity, associate the new identity with KeyVault rules, SQL Server and other services that are used by the applications that will be executed.
Suggestion:
add the parameter –-add-managed-identity-group
This parameter must be defined with the AAD group that will be linked to the VMSS System Identity
How will it work:
At the end of command execution
az aks nodepool add -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster –-add-managed-identity-group <AAD_SECURITY_GROUP> the CLI should get the name of the VMSS that was created and run the command functions
az vmss identity assign -g MyResourceGroup -n <vmss created by previous command>
az vmss identity show --name <vmss created by previous command> --resource-group MyResourceGroup to read managed identity id.
finally you must execute the function of the command
az ad group member add -–group <AAD_SECURITY_GROUP> --member-id <ID retornado do comando anterior>
Summary
With a single parameter the user will be able to solve a complex problem, manage the permissions of the new nodepool, without running the risk of machines becoming available without the permissions to access their resources.
Problem
When a node pool is added, in an instance of AKS, the VMSS created comes with the managed identity disabled, this behavior makes it necessary to execute several other commands to discover the VMSS identifier, enable the managed identity, associate the new identity with KeyVault rules, SQL Server and other services that are used by the applications that will be executed.
Suggestion:
add the parameter –-add-managed-identity-group
This parameter must be defined with the AAD group that will be linked to the VMSS System Identity
How will it work:
At the end of command execution
az aks nodepool add -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster –-add-managed-identity-group <AAD_SECURITY_GROUP>the CLI should get the name of the VMSS that was created and run the command functionsaz vmss identity assign -g MyResourceGroup -n <vmss created by previous command>az vmss identity show --name <vmss created by previous command> --resource-group MyResourceGroupto read managed identity id.finally you must execute the function of the command
az ad group member add -–group <AAD_SECURITY_GROUP> --member-id <ID retornado do comando anterior>Summary
With a single parameter the user will be able to solve a complex problem, manage the permissions of the new nodepool, without running the risk of machines becoming available without the permissions to access their resources.