Skip to content

FAQ / Troubleshooting

First steps

If something isn't quite right, these kubectl commands may be of help in diagnosing and reporting errors.

To get a summary of the status of your Azure AD client:

kubectl get azureapp <app> -owide 

For additional details:

kubectl describe azureapp <app>

Unassigned Pre-Authorized Apps

Example

You might see the following status message when running kubectl describe azureapp <app>:

Status:
  ...
  Pre Authorized Apps:
    ...
    Unassigned:
      Access Policy Rule:
        Application:      <other-application>
        Cluster:          <cluster>
        Namespace:        <namespace>
      Reason:             WARNING: Application '<cluster>:<namespace>:<other-application>' was not found in the Azure AD tenant (<tenant>) and will _NOT_ be pre-authorized.
    Unassigned Count:     1
Solution / Answer
  • Ensure that the application you're attempting to pre-authorize exists in Azure AD:
    • Run kubectl get azureapp <other-application> and check that the Synchronized field is not empty.
  • If you added the application to your access policy before it existed in Azure AD, try to resynchronize your own application:
    • kubectl annotate azureapp <my-application> azure.nais.io/resync=true
  • If all else fails, ask an adult in the #nais channel on Slack.

"Application Alice is not assigned to a role for the application Bob"

Example

An application may receive the following 400 Bad Request response error when requesting a token from Azure AD:

{
  "error": "invalid_grant",
  "error_description": "AADSTS501051: Application '<client ID>'(<cluster>:<namespace>:<alice>) is not assigned to a role for the application 'api://<cluster>.<namespace>.<bob>'(<cluster>:<namespace>:<bob>)",
  ...
}
Solution / Answer
  • Ensure that Bob's access policy includes Alice.
  • Run kubectl get azureapp bob to check the current count of assigned and unassigned applications for Bob.
  • Run kubectl get azureapp bob -o json | jq '.status.preAuthorizedApps' to check the detailed statuses for all of Bob's desired pre-authorized applications.
  • If Bob added Alice to its access policy before Alice existed in Azure AD, try to resynchronize Bob:
    • kubectl annotate azureapp bob azure.nais.io/resync=true
  • If all else fails, ask an adult in the #nais channel on Slack.