-3

I have an AKS cluster that is deployed using Terraform.
After the AKS deployment finishes, I run a post-deployment step in an Azure DevOps Release Pipeline to install NGINX Ingress using the Terraform Helm provider.

The pipeline uses a Microsoft-hosted Windows agent, and authentication to Azure is done through a Federated Service Connection (Workload Identity / OIDC).

However, the Terraform plan fails with this error:

Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials

  with helm_release.nginx,
  on main.tf line 3, in resource "helm_release" "nginx":
   3: resource "helm_release" "nginx" {

Full provider output before the error:

Providers required by configuration:
├── provider hashicorp/time
├── provider hashicorp/azurerm
├── provider hashicorp/azuread
├── provider hashicorp/helm
└── module.frontdoor_origin

Providers required by state:
    provider hashicorp/azurerm
    provider hashicorp/helm
    provider hashicorp/time

The AKS data source loads correctly:

data.azurerm_kubernetes_cluster.aks: Read complete

But the Helm provider cannot connect to the cluster.

What I have tried

  • Generated kubeconfig in the pipeline using the kubelogin exec plugin.

  • FQDN is correct (fqdn from az aks show works).

  • But authentication fails unless I manually add:

--interactive false

because the hosted Windows agent uses an older kubelogin version.

My kubeconfig exec block looks like this:

exec:
  apiVersion: client.authentication.k8s.io/v1
  command: kubelogin
  args:
    - get-token
    - --server-id
    - 6dae42f8-4368-4678-94ff-3960e28e3630
    - --login
    - azurecli
    - --interactive
    - "false"

Even with this, Terraform still fails with:

Kubernetes cluster unreachable

My question

How do I correctly authenticate Terraform + Helm provider to AKS in an Azure DevOps Release Pipeline using a Microsoft-hosted agent and kubelogin?

  • Do I need a different kubeconfig format?

  • Do I need to use azurepipelines login mode instead of azurecli?

  • Is the Helm provider incompatible with kubelogin + OIDC on Windows agents?

  • Is there a recommended way to authenticate AKS inside a Terraform Helm release step?

Additional context

  • AKS uses managed AAD (no legacy SP).

  • az login uses a Federated Workload Identity.

  • kubelogin on Windows agents seems outdated (requires --interactive false).

I am trying to understand the correct authentication pattern for running Helm releases via Terraform in Azure DevOps using OIDC + kubelogin.

Any guidance is appreciated.

Improve this question
New contributor
shibani negi is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
Related questions
4
Deploying helm charts via Terraform Helm provider and Azure DevOps while fetching the helm charts from ACR
0
DevOps Pipeline AKS Deployment with KubeLogin through Service Connection
1
Upgrade the version of terraform provider
Load 4 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.