AzureDevOps Pipeline Create Secret Fail

Question

I have 3 stages in my pipeline for deploying to AKS.

1. Create Secret
2. Kubectl apply
3. Deploy to AKS

but I got this error in Kubectl apply:

2022-12-14T08:01:54.5561492Z [command]/usr/local/bin/kubectl delete secret qa-aks-acr-secret --namespace qa 2022-12-14T08:01:54.5578604Z [command]/usr/local/bin/kubectl create secret docker-registry qa-aks-acr-secret --docker-username *** --docker-password *** --docker-server *** --docker-email ServicePrincipal@AzureRM --namespace qa 2022-12-14T08:01:54.6674447Z error: failed to create secret secrets is forbidden: User "system:serviceaccount:dev:" cannot create resource "secrets" in API group "" in the namespace "qa" 2022-12-14T08:01:54.6716716Z ##[error]error: failed to create secret secrets is forbidden: User "system:serviceaccount:dev:" cannot create resource "secrets" in API group "" in the namespace "qa"

Answer 1

From the error it seems RBAC has been added in your namespace and the system:serviceaccount:dev does not have permission to resources: secrets in QA namespace. In order to resolve the issue you need to allow secret api group allowed in existing role attached to serviceaccount:dev. Here is the sample verbs that you need to allow.

  - verbs:
      - patch
      - update
      - create
      - deletecollection
      - delete
      - watch
      - get
      - list
    apiGroups:
      - ''
    resources:
      - secrets