Troubleshoot "Forbidden" error when trying to access AKS cluster resources

  • Článek

This article explains how to troubleshoot and resolve "Error from server (Forbidden)" errors that are related to Role-Based Access Control (RBAC) when you try to view Kubernetes resources in an Azure Kubernetes Service (AKS) cluster.

Prerequisites

The Kubernetes cluster command-line tool (kubectl)

Note

If you use Azure Cloud Shell to run shell commands, kubectl is already installed. If you use a local shell and already have Azure CLI installed, you can alternatively install kubectl by running the az aks install-cli command.

Symptoms

When you run kubectl commands to view details of a Kubernetes resource type, such as a deployment, pod, or worker node, you receive the following error message:

$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "aaaa11111-11aa-aa11-a1a1-111111aaaaa" cannot list resource "nodes" in API group "" at the cluster scope

Cause

This error indicates that you're trying to access Kubernetes resources by using a Microsoft Entra ID account that doesn’t have the required role-based access control (RBAC) permissions.

Solution

Depending on the RBAC type that's configured for the cluster (Kubernetes RBAC or Azure RBAC), different solutions might apply. Run the following command to determine which RBAC type the cluster is using:

	az aks show -g <CLUSTER_RESOURCE_GROUP> -n <CLUSTER_NAME> --query aadProfile.enableAzureRbac

Solving permissions issues in Kubernetes RBAC-based AKS clusters

If the cluster uses Kubernetes RBAC, permissions for the user account are configured through the creation of RoleBinding or ClusterRoleBinding Kubernetes resources. For more information, see Kubernetes RBAC documentation.

Additionally, in Microsoft Entra ID integrated clusters, a ClusterRoleBinding resource is automatically created to grant the administrator access to the cluster to members of a pre-designated Microsoft Entra ID group.

To resolve the "Error from server (Forbidden)" error for a specific user, use one of the following methods.

Method 1: Create a custom RoleBinding or ClusterRoleBinding resource

You can create a custom RoleBinding or ClusterRoleBinding resource to grant the necessary permissions to the user (or a group of which the user is a member). For detailed steps, see Use Kubernetes role-based access control with Microsoft Entra ID in Azure Kubernetes Service.

Method 2: Add the user to the pre-designated Microsoft Entra ID admin group

  1. Retrieve the ID of the pre-designated Microsoft Entra ID admin group. To do this, run the following command:
	az aks show -g <CLUSTER_RESOURCE_GROUP> -n <CLUSTER_NAME> --query aadProfile.adminGroupObjectIDs
  1. Add the user to the pre-designated Microsoft Entra ID admin group by using the group ID that you retrieved in the previous step. For more detailed steps, see Add members or owners of a group.

Solving permissions issues in Azure RBAC-based AKS clusters

If the cluster uses Azure RBAC, permissions for users are configured through the creation of Azure role assignments.

AKS provides a set of built-in roles that can be used to create role assignments for the Microsoft Entra ID users or groups to give them access to Kubernetes objects in a specific namespace or at cluster scope. For detailed steps to assign built-in roles to users or groups in Azure RBAC-based clusters, see AKS built-in roles.

Alternatively, you can create your own custom Azure role definitions to provide a more granular management of permissions over specific types of Kubernetes objects and operations. For detailed guidance to create and assign custom roles to users and groups in Azure RBAC-based clusters, see Create custom roles definitions.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.