What is server ID and client ID in AKS kubeconfig?

Question

I have AKS cluster integrated with Entra and enabled Azure RBAC which has custom service principal. I'm trying to prepare deploy helm chart via terraform and for that unhardcode some values. This file is created from kubeconfig generated by az cli and works as expected:

provider "helm" {
  kubernetes {
    host                   = module.kubernetes.kubernetes_cluster.kube_config.0.host
    cluster_ca_certificate = base64decode(module.kubernetes.kubernetes_cluster.kube_config.0.cluster_ca_certificate)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      args        = ["get-token",
                     "--environment", "AzurePublicCloud",
                     "--server-id", "{cryptic-value}",
                     "--client-id", "{cryptic-value}",
                     "--tenant-id", data.azurerm_subscription.main.tenant_id,
                     "--login", "devicecode"
                    ]
      command     = "kubelogin"
    }
  }

}

What is --server-id and --client-id in this case? Client ID differs from one I configured for cluster. Also I found similar mentionings in az cli output but their values are null:

    "aadProfile": {
      "adminGroupObjectIDs": [
        "value removed"
      ],
      "adminUsers": null,
      "clientAppId": null,
      "enableAzureRbac": true,
      "managed": true,
      "serverAppId": null,
      "serverAppSecret": null,
      "tenantId": "value removed"
    }

How can I unhardcode those 2 values and where can I find them except kubeconfig file?

Answer 1

What is server ID and client ID in AKS kubeconfig?

Since your AKS cluster enabled Azure RBAC enabled, the Azure considering that clientAppId and serverAppId are null in the aadProfile of your AKS cluster configuration, it indicates that Azure manages these details behind the scenes. You generally do not need to specify these IDs manually for operations like accessing the AKS cluster with kubectl.

How can I unhardcode those 2 values

To avoid hardcoding clientAppId and serverAppId, you can store them in Azure key vault secret and use the terraform data block to retrieve them.

To create a key vault and two secrets for clientAppId and serverAppId, follow these steps:

Create a key vault in the Azure portal. Navigate to secrets, then select Generate/Import option > add secrets for clientAppId and serverAppId .

Note: To access the secrets from Key Vault, you need to have the appropriate permissions.

Here is the updated terraform code to pass the app id and server id without hardcoding.

data "azurerm_key_vault" "example" {
  name                = "mykeyvault"
  resource_group_name = "<keyvault-RG-Name>"
}

data "azurerm_key_vault_secret" "client-id" {
  name         = "client-id"
  key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_secret" "server-id" {
  name         = "server-id"
  key_vault_id = data.azurerm_key_vault.example.id
}

provider "helm" {
  kubernetes {
    host                   = module.kubernetes.kubernetes_cluster.kube_config.0.host
    cluster_ca_certificate = base64decode(module.kubernetes.kubernetes_cluster.kube_config.0.cluster_ca_certificate)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      args        = ["get-token",
                     "--environment", "AzurePublicCloud",
                     "--server-id", data.azurerm_key_vault_secret.server-id,
                     "--client-id", data.azurerm_key_vault_secret.client-id,
                     "--client-id", data.azurerm_subscription.main.tenant_id,
                     "--login", "devicecode"
                    ]
      command     = "kubelogin"
    }
  }

}

Alternatively, you can also connect to your aks cluster without passing client-id and server-id by using the kube_config values in terraform. follow the Stack link that I answered for more details.

Reference: Create a key vault using the Azure portal