Skip to content

Grant AKS managed identity Network Contributor on subnet route table and NAT gateway#320

Merged
johnstairs merged 3 commits into
mainfrom
johnstairs/route-table-rbac-fix
May 19, 2026
Merged

Grant AKS managed identity Network Contributor on subnet route table and NAT gateway#320
johnstairs merged 3 commits into
mainfrom
johnstairs/route-table-rbac-fix

Conversation

@johnstairs
Copy link
Copy Markdown
Member

@johnstairs johnstairs commented May 18, 2026
edited
Loading

When private networking is enabled with a pre-existing subnet that has a user-defined route table attached (e.g., for routing default egress through a peered hub VNet), installation/upgrade could later fail with a LinkedAuthorizationFailed error from the AKS cloud-controller-manager:

Error syncing load balancer: failed to ensure load balancer:
PUT .../virtualNetworks/<vnet>/subnets/snet-aks
RESPONSE 403: 403 Forbidden
ERROR CODE: LinkedAuthorizationFailed

The client '<...>' with object id '<...>' has permission to perform action
'Microsoft.Network/virtualNetworks/subnets/write' on scope '.../subnets/snet-aks';
however, it does not have permission to perform action(s)
'Microsoft.Network/routeTables/join/action' on the linked scope(s)
'.../routeTables/udr-default-vnet-peered-001'

Azure Resource Manager performs a linked authorization check whenever a write occurs on a subnet: the calling principal must hold join/action on every resource the subnet references (NSG, route table, NAT gateway, etc.). The installer was already granting the AKS cluster's user-assigned managed identity Network Contributor on the VNet, the subnet's NSG, and the outbound public IP, but not on the route table or NAT gateway.

@johnstairs johnstairs marked this pull request as ready for review May 18, 2026 18:29
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the AKS private-networking install/upgrade flow to avoid LinkedAuthorizationFailed errors when the target existing subnet references additional network resources (route table and/or NAT gateway), by extending RBAC grants/cleanup for the cluster managed identity.

Changes:

  • Capture existing subnet’s linked route table and NAT gateway resource IDs during cluster creation.
  • Grant the AKS cluster user-assigned managed identity Network Contributor on the subnet’s route table and NAT gateway (when present).
  • Remove RBAC role assignments for the cluster principal on the subnet’s route table and NAT gateway during cluster deletion.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cli/internal/install/cloudinstall/compute.go Outdated
Comment thread cli/internal/install/cloudinstall/compute.go
@johnstairs johnstairs merged commit 2441185 into main May 19, 2026
21 checks passed
@johnstairs johnstairs deleted the johnstairs/route-table-rbac-fix branch May 19, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hansenms hansenms hansenms approved these changes

@naegelejd naegelejd Awaiting requested review from naegelejd

@yuliadub yuliadub Awaiting requested review from yuliadub

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johnstairs @hansenms