You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/control-kubeconfig-access.md
+12-7Lines changed: 12 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: mlearned
6
6
7
7
ms.service: container-service
8
8
ms.topic: article
9
-
ms.date: 05/31/2019
9
+
ms.date: 01/28/2020
10
10
ms.author: mlearned
11
11
---
12
12
@@ -31,21 +31,26 @@ The [az aks get-credentials][az-aks-get-credentials] command lets you get the ac
31
31
The two built-in roles are:
32
32
33
33
***Azure Kubernetes Service Cluster Admin Role**
34
-
* Allows access to *Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action* API call. This API call [lists the cluster admin credentials][api-cluster-admin].
35
-
* Downloads *kubeconfig* for the *clusterAdmin* role.
34
+
* Allows access to *Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action* API call. This API call [lists the cluster admin credentials][api-cluster-admin].
35
+
* Downloads *kubeconfig* for the *clusterAdmin* role.
36
36
***Azure Kubernetes Service Cluster User Role**
37
-
* Allows access to *Microsoft.ContainerService/managedClusters/listClusterUserCredential/action* API call. This API call [lists the cluster user credentials][api-cluster-user].
38
-
* Downloads *kubeconfig* for *clusterUser* role.
37
+
* Allows access to *Microsoft.ContainerService/managedClusters/listClusterUserCredential/action* API call. This API call [lists the cluster user credentials][api-cluster-user].
38
+
* Downloads *kubeconfig* for *clusterUser* role.
39
39
40
40
These RBAC roles can be applied to an Azure Active Directory (AD) user or group.
41
41
42
+
> ![NOTE]
43
+
> On clusters that use Azure AD, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a log in. Once logged in, users have access based on their Azure AD user or group settings. Users with the *clusterAdmin* role have admin access.
44
+
>
45
+
> Clusters that do not use Azure AD only use the *clusterAdmin* role.
46
+
42
47
## Assign role permissions to a user or group
43
48
44
49
To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group. The following example commands:
45
50
46
51
* Get the cluster resource ID using the [az aks show][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed.
47
-
*Uses the [az account show][az-account-show] and [az ad user show][az-ad-user-show] commands to get your user ID.
48
-
* Finally, assigns a role using the [az role assignment create][az-role-assignment-create] command.
52
+
*Use the [az account show][az-account-show] and [az ad user show][az-ad-user-show] commands to get your user ID.
53
+
* Finally, assign a role using the [az role assignment create][az-role-assignment-create] command.
49
54
50
55
The following example assigns the *Azure Kubernetes Service Cluster Admin Role* to an individual user account:
0 commit comments