-1

I have an AKS cluster that is deployed using Terraform.
After the AKS deployment finishes, I run a post-deployment step in an Azure DevOps Release Pipeline to install NGINX Ingress using the Terraform Helm provider.

The pipeline uses a Microsoft-hosted Windows agent, and authentication to Azure is done through a Federated Service Connection (Workload Identity / OIDC).

However, the Terraform plan fails with this error:

Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials

  with helm_release.nginx,
  on main.tf line 3, in resource "helm_release" "nginx":
   3: resource "helm_release" "nginx" {

Full provider output before the error:

Providers required by configuration:
├── provider hashicorp/time
├── provider hashicorp/azurerm
├── provider hashicorp/azuread
├── provider hashicorp/helm
└── module.frontdoor_origin

Providers required by state:
    provider hashicorp/azurerm
    provider hashicorp/helm
    provider hashicorp/time

The AKS data source loads correctly:

data.azurerm_kubernetes_cluster.aks: Read complete

But the Helm provider cannot connect to the cluster.

What I have tried

  • Generated kubeconfig in the pipeline using the kubelogin exec plugin.

  • FQDN is correct (fqdn from az aks show works).

  • But authentication fails unless I manually add:

--interactive false

because the hosted Windows agent uses an older kubelogin version.

My kubeconfig exec block looks like this:

exec:
  apiVersion: client.authentication.k8s.io/v1
  command: kubelogin
  args:
    - get-token
    - --server-id
    - 6dae42f8-4368-4678-94ff-3960e28e3630
    - --login
    - azurecli
    - --interactive
    - "false"

Even with this, Terraform still fails with:

Kubernetes cluster unreachable

My question

How do I correctly authenticate Terraform + Helm provider to AKS in an Azure DevOps Release Pipeline using a Microsoft-hosted agent and kubelogin?

  • Do I need a different kubeconfig format?

  • Do I need to use azurepipelines login mode instead of azurecli?

  • Is the Helm provider incompatible with kubelogin + OIDC on Windows agents?

  • Is there a recommended way to authenticate AKS inside a Terraform Helm release step?

Additional context

  • AKS uses managed AAD (no legacy SP).

  • az login uses a Federated Workload Identity.

  • kubelogin on Windows agents seems outdated (requires --interactive false).

I am trying to understand the correct authentication pattern for running Helm releases via Terraform in Azure DevOps using OIDC + kubelogin.

Any guidance is appreciated.

Improve this question
New contributor
shibani negi is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
Related questions
4
Deploying helm charts via Terraform Helm provider and Azure DevOps while fetching the helm charts from ACR
1
Upgrade the version of terraform provider
0
DevOps Pipeline AKS Deployment with KubeLogin through Service Connection
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.