Azure Arc-enabled K8s, --enable-oidc-issuer not working as expected

Question

Azure Arc-enabled K8s, --enable-oidc-issuer not working as expected

Kotsantis, Theo 25

I am trying to deploy workload identity federation in Azure Arc-enabled Kubernetes cluster, following instruction in https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/workload-identity#set-environment-variables

When executing

az connectedk8s connect --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --enable-oidc-issuer –-enable-workload-identity

I am getting error

Self hosted issuer is required for aks cluster when OIDC issuer is being enabled.

There are no info regarding this resource in the instruction page, and my understanding is this is not required in the first place.

For example the equivalent command for az aks does not require any extra pameter

az aks update --resource-group myResourceGroup --name myAKSCluster --enable-oidc-issuer

Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-03T16:48:31.97+00:00

Hi Kotsantis, Theo

When enabling the OIDC issuer for an Azure Arc-enabled Kubernetes cluster, you are required to set up a self-hosted issuer, which differs from the behavior typically seen with Azure Kubernetes Service (AKS). The error you're encountering indicates that the self-hosted issuer configuration needs to be completed in order to proceed with enabling the OIDC issuer.

Verify that you have set up the necessary configurations for the self-hosted issuer as part of your deployment process.

https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster

let us know if any help, we will always help as you needed.!

If the answer is helpful, please and "Upvote it".
Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-04T16:32:35.94+00:00

Hi Kotsantis, Theo
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-04-07T05:33:38.8233333+00:00

Hello Kotsantis, Theo

I would like to check if the issue has been resolved or if you need any assistance. Please feel free to let us know, as we are always here to help.

Please do not forget to “upvote it” wherever the information provided above helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks
Kotsantis, Theo 25 Reputation points

2025-04-07T08:59:51.9166667+00:00

Hello,

Thank you for the replies.

Since it is required to set up a self-hosted issuer when you use --enable-oidc-issuer
I would recommend an update in documentation:

First make it clear --self-hosted-issuer is required (in az cli also)
Maybe also provide an example for that case. With current version of documentation I understand that --enable-oidc-issuer will create an issuer. At least this what I understand is implied with the current notes.

https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/workload-identity#retrieve-the-oidc-issuer-url
Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-07T16:17:20.5466667+00:00

Hi Kotsantis, Theo
Thanks for letting us know, we'll inform the appropriate team to address the missing command let. And also, you can submit documentation feedback which goes directly to that team.

Let me know if you need further clarification or assistance!Feel free to reach out if you have any further questions or need additional information—I’m happy to assist!

Please provide your valuable comments

If the comment is helpful, please click "Upvote it".

1 answer

Your answer

Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-03T16:48:31.97+00:00

Hi Kotsantis, Theo

When enabling the OIDC issuer for an Azure Arc-enabled Kubernetes cluster, you are required to set up a self-hosted issuer, which differs from the behavior typically seen with Azure Kubernetes Service (AKS). The error you're encountering indicates that the self-hosted issuer configuration needs to be completed in order to proceed with enabling the OIDC issuer.

Verify that you have set up the necessary configurations for the self-hosted issuer as part of your deployment process.

https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster

let us know if any help, we will always help as you needed.!

If the answer is helpful, please and "Upvote it".
Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-04T16:32:35.94+00:00

Hi Kotsantis, Theo
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator

2025-04-07T05:33:38.8233333+00:00

Hello Kotsantis, Theo

I would like to check if the issue has been resolved or if you need any assistance. Please feel free to let us know, as we are always here to help.

Please do not forget to “upvote it” wherever the information provided above helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks
Kotsantis, Theo 25 Reputation points

2025-04-07T08:59:51.9166667+00:00

Hello,

Thank you for the replies.

Since it is required to set up a self-hosted issuer when you use --enable-oidc-issuer
I would recommend an update in documentation:

First make it clear --self-hosted-issuer is required (in az cli also)
Maybe also provide an example for that case. With current version of documentation I understand that --enable-oidc-issuer will create an issuer. At least this what I understand is implied with the current notes.

https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/workload-identity#retrieve-the-oidc-issuer-url
Pranay Reddy Madireddy 4,415 Reputation points Microsoft External Staff Moderator

2025-04-07T16:17:20.5466667+00:00

Hi Kotsantis, Theo
Thanks for letting us know, we'll inform the appropriate team to address the missing command let. And also, you can submit documentation feedback which goes directly to that team.

Let me know if you need further clarification or assistance!Feel free to reach out if you have any further questions or need additional information—I’m happy to assist!

Please provide your valuable comments

If the comment is helpful, please click "Upvote it".

Answer 1

Hey @Kotsantis, Theo

I am from the Arc team. The error statement indicates that you are trying to connect an AKS cluster to arc. When doing that we require that you provide the AKS cluster's issues url when running the connect command. Here are the steps for Arc enabling an AKS cluster with workload identity.

Create an AKS cluster

az aks create --resource-group <rg_name> --name <cluster_name> --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys

Download the cluster credentials

az aks get-credentials --resource-group <rg_name> --name <cluster_name> --overwrite-existing

Get the AKS cluster's issuer url

$AKS_OIDC_ISSUER = "$(az aks show --name <cluster_name> --resource-group <rg_name> --query "oidcIssuerProfile.issuerUrl" --output tsv)"

Connect it to Arc with workload identity feature enabled

az connectedk8s connect -g <rg_name> -n <cluster_name> --enable-oidc-issuer --self-hosted-issuer "$AKS_OIDC_ISSUER"

Providing the --self-hosted-issuer URL is required when connecting an AKS, EKS, GKE, or other public cloud cluster to ARC.
I will see if we have public documentation for this already and if not, I will ask for that to be created.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Share via

Azure Arc-enabled K8s, --enable-oidc-issuer not working as expected

1 answer

Your answer