Skip to main content

Azure Troubleshooting

Common issues when using Workload Identity, External Secrets, and Azure resources with Kubernetes.

Workload Identity

Federated Credential Creation Fails

Symptom: Authorization error when creating federated identity credentials.

Causes:

  • Subscription Owner does not automatically have permission to create federated credentials
  • You need Managed Identity Contributor on the target Managed Identity

Solution:

az role assignment create \
  --assignee <caller-object-id> \
  --role "Managed Identity Contributor" \
  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>

Wrong Identity Name

Symptom: Resource not found for a Managed Identity.

Solution: List identities to find the correct name:

az identity list --output table

External Secrets / Key Vault

Key Vault Forbidden (RBAC)

Symptom: Forbidden when reading or writing Key Vault secrets.

Causes:

  • Key Vault uses RBAC; subscription Owner does not grant data-plane access
  • Need explicit Key Vault roles: Key Vault Secrets User (read), Key Vault Secrets Officer (write)

Solution:

az role assignment create \
  --assignee <principal-id> \
  --role "Key Vault Secrets User" \
  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault-name>

Note: Key Vault RBAC can take 60–120 seconds to propagate. Refresh tokens and retry.

ESO Cannot Read Secrets

Symptom: ExternalSecret status shows error; ESO logs show 403.

Solution:

  1. Grant Key Vault Secrets User to the ESO runtime Managed Identity
  2. Restart ESO pods to refresh tokens: 
    kubectl rollout restart deployment external-secrets -n external-secrets-system

SecretStore Not Ready

Check:

kubectl describe secretstore azure-keyvault-secret-store -n <namespace>
kubectl describe clustersecretstore azure-keyvault-cluster-store
kubectl logs -n external-secrets-system deployment/external-secrets

Database Connection

PostgreSQL Connection Refused

  • Verify firewall rules allow AKS node IPs
  • Check connection string (host, port, SSL mode)
  • Verify database and user exist

Connection Timeout

  • Network policies blocking egress
  • Incorrect VNet/peering for Azure Database for PostgreSQL

Storage

PV Attachment Timeout

  • Verify storage class exists
  • For Azure Disk CSI: check node pool SKU compatibility (Premium vs Standard)
  • For Azure Blob CSI: verify Workload Identity and storage permissions

References