[BUG] Not able to connect to kube from cloud shell #516
Description
To Reproduce
Run any kubectl command that requires login.
Ex:
kubectl get pods
Observed Behavior
$kubectl get pods -n external
Error: failed to get token: expected an empty error but received: AzureCLICredential: WARNING: A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-xxxxxxxxxxxxxxx'
ERROR: Audience 6dae42f8-4368-4678-94ff-3960e28e3630/.default is not a supported MSI token audience.
Interactive authentication is needed. Please run:
az login -- scope 6dae42f8-4368-4678-94ff-3960e28e3630/.default
E0124 09:22:49.253018 1514 memcache.go: 265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://[domain_name]:443/api?timeout=32s\": getting credentials: exec: executable kubelogin failed with exit code 1"
Error: failed to get token: expected an empty error but received: AzureCLICredential: WARNING: A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-xxxxxxxxxxxxxxx'
ERROR: Audience 6dae42f8-4368-4678-94ff-3960e28e3630/.default is not a supported MSI token audience.
Interactive authentication is needed. Please run:
az login -- scope 6dae42f8-4368-4678-94ff-3960e28e3630/.default
Expected behavior
kubectl commands to function normally
Is this specific to Cloud Shell?
Yes
Interface information
https://portal.azure.com/#cloudshell/
WORKAROUND
Call the Cloud Shell token service to pass in the required token to kubectl commands via the --token parameter. Example:
kubectl [command_name] --token $(curl http://localhost:50342/oauth2/token --data "resource=6dae42f8-4368-4678-94ff-3960e28e3630" -H Metadata:true -s | jq -r '.access_token')