• EN
Question

Azure AKS: Multiple user assigned identities exist

F
Userlevel 2

Dear Folks,
I’m trying since hours to attach to my Kasten K10 application the infrastructre profile for Microsoft Azure.
Sadly, I’m failing with following error: 

Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request.

 

Maybe to say, in the same subscription there is a second AKS cluster and I was able to add the infrastructure profile months ago without any problems.

It looks to me like there are multiple Managed Identities, but Kasten K10 doesn't know which one to use.

Do you have any idea how this could be solved?

 

Regards

6 comments

F
Userlevel 2

Hello Veeam Team and Community,

I am now one step further with a dedicated user-managed identity. If I give this user-managed identity the contributor rights to the subscription, it works and is valid. As soon as I take them away again, the test fails.

Can any of you tell me what is the minimum rights to be granted for “Microsoft.Resources/subscriptions/locations/read” under the principle of Least Privilege.


Regards

Madi.Cristil
Userlevel 7
Badge +7

@jaiganeshjk 

Madi Cristil
FRubens
Userlevel 4
Badge +2

Hello @flavio_bitstan 

I will check regarding the requirements for user-managed identity for Azure and update here.

 

Regards

Rubens

 

FRubens
Userlevel 4
Badge +2

Hi @flavio_bitstan,

The built-in Contributor role has been the recommendation, there is no information of minimum role rights requirements in K10's documentations for Azure storage, but we will be working to update the documentation to add a list of minimum required permissions for k10, and Users can then create a Customer Role and assign it to a user K10 has access.

 

Hope it helps.

Rubens

F
Userlevel 2

Hi @FRubens,

Thank you for your clarification and explanations. I have in the meantime also played around a bit with the permissions.

The current smallest role I have found is "Disk Snapshot Contributor" directly on the resource group with which the AKS cluster was created. Additionally I linked the user managed identity to the NodePools from the AKS cluster.

On the part of Kasten K10, it would still be good to know whether just snapshots have to be taken or more, if necessary.

Regards

FRubens
Userlevel 4
Badge +2

Hello @flavio_bitstan,

 

Would like to provide and update, that we are working to add to K10 documentation the minimum rights to be granted for Azure storage, same as we have for IAM  (https://docs.kasten.io/latest/install/aws/using_aws_iam_roles.html#creating-an-iam-policy) as example.

Please let me know if you have any other questions.

FRubens

Comment


Terms & Conditions