remove user msi from aks-agent

mainred · mainred · commit 29693baed32b · 2026-01-29T03:15:38.000Z
diff --git a/src/aks-agent/HISTORY.rst b/src/aks-agent/HISTORY.rst
@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+1.0.0b17
+++++++++
+Fix: remove the prompt to user about managed identity client id during `az aks agent-init``
+
 1.0.0b16
 ++++++++
 * Fix: client mode use AzureCLICredential to authenticate with Azure
diff --git a/src/aks-agent/azext_aks_agent/agent/k8s/aks_agent_manager.py b/src/aks-agent/azext_aks_agent/agent/k8s/aks_agent_manager.py
@@ -131,8 +131,6 @@ def __init__(self, resource_group_name: str, cluster_name: str,
         self.chart_version = "0.2.0"
 
         # credentials for aks-mcp
-        # Managed identity client ID for accessing Azure resources
-        self.managed_identity_client_id: str = ""
         # Default empty customized cluster role name means using default cluster role
         self.customized_cluster_role_name: str = ""
         # When aks mcp service account is set, helm charts wont create rbac for aks mcp
@@ -202,16 +200,8 @@ def _load_existing_helm_release_config(self):
                     # Read API keys from Kubernetes secret and populate model_list
                     self._populate_api_keys_from_secret()
 
-                # Load managed identity client ID if present
                 mcp_addons = helm_values.get("mcpAddons", {})
                 aks_config = mcp_addons.get("aks", {})
-                azure_config = aks_config.get("azure", {})
-                self.managed_identity_client_id = azure_config.get("clientId")
-
-                if self.managed_identity_client_id:
-                    logger.debug("Managed identity client ID loaded: %s", self.managed_identity_client_id)
-                else:
-                    logger.debug("No managed identity client ID found in Helm values")
 
                 service_account_config = aks_config.get("serviceAccount", {})
                 self.customized_cluster_role_name = service_account_config.get("customClusterRoleName", "")
@@ -936,13 +926,6 @@ def _create_helm_values(self):
             "create": False,
         }
 
-        helm_values["mcpAddons"]["aks"]["workloadIdentity"] = {
-            "enabled": bool(self.managed_identity_client_id)
-        }
-        helm_values["mcpAddons"]["aks"]["azure"] = {
-            "clientId": self.managed_identity_client_id
-        }
-
         return helm_values
 
     def save_llm_config(self, provider: LLMProvider, params: dict) -> None:
diff --git a/src/aks-agent/azext_aks_agent/custom.py b/src/aks-agent/azext_aks_agent/custom.py
@@ -163,7 +163,7 @@ def _setup_llm_configuration(console, aks_agent_manager: AKSAgentManagerLLMConfi
 
 
 def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
-    """Setup and deploy helm chart with service account and managed identity configuration."""
+    """Setup and deploy helm chart with service account configuration."""
     console.print("\n🚀 Phase 2: Helm Deployment", style=f"bold {HELP_COLOR}")
 
     # Check current helm deployment status
@@ -179,22 +179,6 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
             f"\n👤 Current service account in namespace '{aks_agent_manager.namespace}': {service_account_name}",
             style="cyan")
 
-        # Prompt for managed identity client ID update
-        existing_client_id = aks_agent_manager.managed_identity_client_id
-        if existing_client_id:
-            console.print(
-                f"\n🔑 Current workload identity (managed identity) client ID: {existing_client_id}", style="cyan")
-            change_client_id = console.input(
-                f"[{HELP_COLOR}]Do you want to change the workload identity client ID? (y/N): [/]").strip().lower()
-
-            if change_client_id in ['y', 'yes']:
-                managed_identity_client_id = _prompt_managed_identity_configuration(console)
-                aks_agent_manager.managed_identity_client_id = managed_identity_client_id
-        else:
-            console.print("\n🔑 No workload identity (managed identity) currently configured.", style="cyan")
-            managed_identity_client_id = _prompt_managed_identity_configuration(console)
-            if managed_identity_client_id:
-                aks_agent_manager.managed_identity_client_id = managed_identity_client_id
     elif helm_status == "not_found":
         console.print(
             f"Helm chart not deployed (status: {helm_status}). Setting up deployment...",
@@ -203,11 +187,15 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
         # Prompt for service account configuration
         console.print("\n👤 Service Account Configuration", style=f"bold {HELP_COLOR}")
         console.print(
-            f"The AKS agent requires a service account with appropriate permissions in the '{aks_agent_manager.namespace}' namespace.",
+            f"The AKS agent requires a service account with appropriate Azure and Kubernetes permissions in the '{aks_agent_manager.namespace}' namespace.",
             style=INFO_COLOR)
         console.print(
             "Please ensure you have created the necessary Role and RoleBinding in your namespace for this service account.",
             style=WARNING_COLOR)
+        console.print(
+            "If the AKS agent requires access to Azure resources, the service account should be annotated with "
+            "'azure.workload.identity/client-id: <managed-identity-client-id>'.",
+            style=INFO_COLOR)
 
         # Prompt user for service account name (required)
         while True:
@@ -220,10 +208,6 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
             console.print(
                 "Service account name cannot be empty. Please enter a valid service account name.", style=WARNING_COLOR)
 
-        # Prompt for managed identity client ID
-        managed_identity_client_id = _prompt_managed_identity_configuration(console)
-        if managed_identity_client_id:
-            aks_agent_manager.managed_identity_client_id = managed_identity_client_id
     else:
         # Handle non-standard helm status (failed, pending-install, pending-upgrade, etc.)
         cmd_flags = aks_agent_manager.command_flags()
@@ -269,37 +253,6 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
                 f"You can check the status later using 'az aks agent --status {cmd_flags}'", style="cyan")
 
 
-def _prompt_managed_identity_configuration(console):
-    """Prompt user for managed identity client ID configuration."""
-    console.print("\n🔑 Managed Identity Configuration", style=f"bold {HELP_COLOR}")
-
-    console.print(
-        "To access Azure resources using workload identity, you need to provide the managed identity client ID.",
-        style=INFO_COLOR)
-
-    configure = console.input(
-        f"[{HELP_COLOR}]Do you want to configure managed identity client ID? (Y/n): [/]").strip().lower()
-
-    if configure in ['n', 'no']:
-        console.print(
-            "⚠️  Skipping managed identity configuration. Workload identity will not be configured.",
-            style=WARNING_COLOR
-        )
-        return ""
-
-    while True:
-        client_id = console.input(
-            f"[{HELP_COLOR}]Please enter your managed identity client ID: [/]").strip()
-
-        if client_id:
-            console.print(f"✅ Using managed identity client ID: {client_id}", style=SUCCESS_COLOR)
-            return client_id
-        console.print(
-            "❌ Client ID cannot be empty. Please provide a valid client ID or answer 'N' to skip.",
-            style=ERROR_COLOR
-        )
-
-
 def _setup_and_create_llm_config(console, aks_agent_manager: AKSAgentManagerLLMConfigBase):
     """Setup and create LLM configuration with user input.
 
