How to Retrieve the Auto-Generated Service Principal for an AKS Cluster in Azure


13 views

When you create an Azure Kubernetes Service (AKS) cluster without explicitly specifying a service principal (SP), Azure automatically generates one for cluster operations. This SP handles API calls to other Azure resources like load balancers and managed disks.

The most straightforward method is using Azure CLI:


az aks show --resource-group myResourceGroup --name myAKSCluster --query "servicePrincipalProfile"

This returns output similar to:


{
  "clientId": "a1b2c3d4-5678-90ef-ghij-klmnopqrstuv"
}

For more detailed SP information, use Azure PowerShell:


Get-AzADServicePrincipal -ApplicationId (Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster).ServicePrincipalProfile.ClientId

Or through the Azure Portal:

  1. Navigate to your AKS cluster
  2. Go to Properties section
  3. Find "Service principal client ID" field

Here's a complete workflow to find and use the SP:


# Get SP client ID
SP_CLIENT_ID=$(az aks show --resource-group myRG --name myCluster --query "servicePrincipalProfile.clientId" -o tsv)

# Get SP object details
az ad sp show --id $SP_CLIENT_ID

# Example output:
# {
#   "appDisplayName": "azure-cli-2023-08-15-12-34-56",
#   "appId": "a1b2c3d4-5678-90ef-ghij-klmnopqrstuv",
#   "appOwnerOrganizationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
#   ...
# }
  • The auto-generated SP has Contributor role on the cluster's resource group
  • Password/credentials for auto-SPs are managed by Azure and not directly accessible
  • For production clusters, Microsoft recommends using managed identities instead

If you encounter authentication issues:


# Reset SP credentials (requires Contributor+Access Admin)
az aks update-credentials --resource-group myRG --name myCluster --reset-service-principal

When you create an Azure Kubernetes Service (AKS) cluster without explicitly specifying a service principal, Azure automatically generates one behind the scenes. This behavior is documented but finding the generated SP isn't always straightforward.

Here are three methods to identify the service principal created for your AKS cluster:

# Method 1: Using Azure CLI
az aks show --resource-group myResourceGroup --name myAKSCluster --query servicePrincipalProfile.clientId -o tsv

# Method 2: Querying Azure AD
az ad sp list --display-name myAKSCluster --query "[].appId" -o tsv

# Method 3: Through Azure Portal
1. Navigate to your AKS cluster
2. Go to "Properties" section
3. Find "Service principal client ID" field

The automatically created service principal has these characteristics:

  • Display name matches your AKS cluster name
  • Has Contributor role on the cluster's resource group
  • Credentials expire after one year

Let's walk through a complete scenario:

# Create a cluster without specifying SP
az aks create --resource-group myRG --name myCluster --node-count 3

# Retrieve the SP ID
SP_ID=$(az aks show --resource-group myRG --name myCluster --query "servicePrincipalProfile.clientId" -o tsv)

# Get SP details
az ad sp show --id $SP_ID

# List role assignments
az role assignment list --assignee $SP_ID --all -o table

If you need to use the service principal programmatically, you'll need to reset its credentials:

# Reset SP credentials
az ad sp credential reset --name $SP_ID

# Output will include the new password
# Important: Store this securely as it won't be shown again

For new clusters, consider using managed identities instead:

az aks create --resource-group myRG --name myCluster --enable-managed-identity

Managed identities eliminate the need to manage service principal credentials manually.