AKS Automatic - Error when using service-principal

Question

AKS Automatic - Error when using service-principal

Zach Howell 20

I can create an AKS Automatic service successfully with a command like:

az aks create --name tmpaks --location my-location --resource-group my-resource-group --sku automatic --generate-ssh-keys

However when I try to use a service-principal by adding --service-principal my-principal --client-secret my-secret , I get the following error:
ERROR: --enable-azuremonitormetrics can only be specified for clusters with managed identity enabled
Despite me not setting the --enable-azuremonitormetrics explicitly.

So I have several questions:

(Ultimate goal) How can I create an AKS Automatic cluster with a service-principal of my choosing?
I don't understand Azure & AKS permissioning very well.. does it make sense to use a service principal with AKS?
Can anyone explain why this error message makes any sense? Is this enable-azuremonitormetrics setting enabled by AKS Automatic? Does AKS Automatic use managed identity or no? This might help me find a workaround or answer question #2.

Nikhil Duserla 8,515 Reputation points Microsoft External Staff Moderator

2025-08-06T22:11:43.0966667+00:00

Hello @Zach Howell,

The error indicates that the --enable-azuremonitormetrics option is only supported for AKS clusters configured with a managed identity. This option is not compatible when using a service principal.

To resolve this, you have two options:

Enable managed identity for your AKS cluster (either during creation or by updating an existing cluster), or

Remove the --enable-azuremonitormetrics option from your command.

To use the --enable-azuremonitormetrics flag, the AKS cluster must be configured with a managed identity.

Use a managed identity in Azure Kubernetes Service (AKS)- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity

Enable a system-assigned managed identity on a new AKS cluster- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#enable-a-system-assigned-managed-identity-on-a-new-aks-cluster

Update an existing AKS cluster to use a system-assigned managed identity- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#update-an-existing-aks-cluster-to-use-a-system-assigned-managed-identity

If you have any further queries, do let us know.
Zach Howell 20 Reputation points

2025-08-06T22:32:14.6733333+00:00

The confusing thing is that I did not add the --enable-azuremonitormetrics flag - unless AKS Automatic did it for me. So sorry your response is not helpful. Does AKS Automatic use managed identity or not?

Accepted answer

0 additional answers

Your answer

Nikhil Duserla 8,515 Reputation points Microsoft External Staff Moderator

2025-08-06T22:11:43.0966667+00:00

Hello @Zach Howell,

The error indicates that the --enable-azuremonitormetrics option is only supported for AKS clusters configured with a managed identity. This option is not compatible when using a service principal.

To resolve this, you have two options:

Enable managed identity for your AKS cluster (either during creation or by updating an existing cluster), or

Remove the --enable-azuremonitormetrics option from your command.

To use the --enable-azuremonitormetrics flag, the AKS cluster must be configured with a managed identity.

Use a managed identity in Azure Kubernetes Service (AKS)- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity

Enable a system-assigned managed identity on a new AKS cluster- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#enable-a-system-assigned-managed-identity-on-a-new-aks-cluster

Update an existing AKS cluster to use a system-assigned managed identity- https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#update-an-existing-aks-cluster-to-use-a-system-assigned-managed-identity

If you have any further queries, do let us know.
Zach Howell 20 Reputation points

2025-08-06T22:32:14.6733333+00:00

The confusing thing is that I did not add the --enable-azuremonitormetrics flag - unless AKS Automatic did it for me. So sorry your response is not helpful. Does AKS Automatic use managed identity or not?

Answer 1

Hi @Zach Howell ,

Thank you for posting your question.

The automatic AKS SKU will automatically configure monitoring as mentioned here. Therefore, service principal is not allowed.

Regarding using service principals, I would advise using managed identities instead, they need less maintenance, and do not require renewals (automatic). They are basically wrappers around service principals, and have wider application compatibility. So, unless you have a reason to use service principals, use MI instead :).

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Thank you.

Share via

AKS Automatic - Error when using service-principal

0 additional answers

Your answer