Exam AZ-400 topic 4 question 45 discussion

1. az ad sp create-for-rbac - create the service principle 2. az aks create - create the aks with the service principle 3. az role assignment - delegate access to other resources

1- az aks create 2- az ad sp create-for-rbac 3- az role assignment create https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal

az ad sp create-for-rbac az aks create az role assignment create

Final answer after going through all the comments 1. az ad sp create-for-rbac - create the service principle 2. az aks create - create the aks with the service principle 3. az role assignment - delegate access to other resources

https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli 1. az ad sp create-for-rbac 2. az aks create 3. az role assignment

az ad sp create-for-rbac az aks create az aks get-credentials

https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli This link evidences that the answer provided by TosO is still valid.

1. az ad sp create-for-rbac 2. az aks create 3. az role assignment create https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal To manually create a service principal with the Azure CLI, use the az ad sp create-for-rbac command. https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#specify-a-service-principal-for-an-aks-cluster To use an existing service principal when you create an AKS cluster using the az aks create command, use the --service-principal and --client-secret parameters to specify the appId and password from the output of the az ad sp create-for-rbac command: https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#delegate-access-to-other-azure-resources To delegate permissions, create a role assignment using the az role assignment create command. Assign the appId to a particular scope, such as a resource group or virtual network resource.

1. az ad sp create-for-rbac 2. az aks create 3. az aks get-credentials --Use the az ad sp create-for-rbac command to create a custom service principal in Azure Active Directory (AD) with the necessary permissions to interact with AKS. This command will generate the required credentials for the service principal. --Use the az aks create command to create the AKS cluster. This command will provision the AKS cluster with the specified configuration, including RBAC settings. You can specify the custom service principal created in the previous step using the --service-principal and --client-secret parameters. --Use the az aks get-credentials command to retrieve the necessary credentials and configuration to connect to the AKS cluster. This command will download and merge the cluster's kubeconfig file with your local kubeconfig, allowing you to interact with the cluster using kubectl.

here are the three recommended commands in the correct order: az ad sp create-for-rbac to create a new service principal with a custom name and assign it the Contributor role on your Azure subscription. az aks create to create an AKS cluster and specify the service principal and RBAC enabled. az aks get-credentials to get the Kubernetes configuration files for the AKS cluster and merge them into your local configuration. Explanation: The az ad sp create-for-rbac command creates a new service principal with a custom name and assigns it the Contributor role on your Azure subscription. This command returns the appId, password, and tenant values that are needed to configure AKS. The az aks create command creates an AKS cluster, specifies the custom service principal, and enables RBAC. This command also returns the Kubernetes configuration files that are needed to connect to the cluster. The az aks get-credentials command gets the Kubernetes configuration files for the AKS cluster and merges them into your local configuration. This command enables you to connect to the AKS cluster using kubectl.

Custom principal -> az ad sp create-for-RBAC. ('az aks create' can create a system managed identity automatically but not a custom principal). Create AKS cluster -> az aks create Connect to the AKS cluster -> az aks get-credentials "Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command." https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-cli#connect-to-the-cluster "az role assignment create" - In my opinion this is not needed as the cluster is "RBAC-Enabled", just not assigned any roles.

To me all of this seems confusing, as everyone kinda leans towards the most common answer. But it's important to note the "az ad sp create-for-rbac" command can directly specify the role assignment and scope, so that'd eliminate the need for "az role assignment" one. Then, given the question is asking to PROVISION and CONNECT to the cluster, to me the sequence should be: 1. az ad sp create-for-rbac - create the service principal & also assign it the role (Contributor) 2. az aks create - create the aks specifying a custom service principal, i.e. the one from above, so the aks will already have the role 3. az aks get-credentials - specify the rg and cluster-name from above, to get the credentials to connect to it after you've created it But we all know how Microsoft can be in these situations, my answer might be correct but also overthought, while MS just wanted us to do a few simple initial steps... I genuinely don't know

Looks like the article has been updated as it clearly states: 1. az ad sp create-for-rbac 2. az aks create 3. az role assignment

3. az aks get-credentials --resource-group <group name> -name <cluster-name> : this is used for connecting from your machine to aks cluster you created in step 2.

https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli 1) az ad sp create-for-rbac 2) az aks create 3) az role assignment create

az aks create az aks sp create-for-rbac az role assignment

As per this documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal You could use: 1) az ad sp create-for-rbac 2) az aks create (specifying the service principal in this command) Or 1) az aks create 2) az ad sp create-for-rbac 3) az role assignment As the solution requires 3 steps, I'll go with the second option