Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses how to identify and resolve the "CustomPrivateDNSZoneMissingPermissionError" error code that occurs when you try to create or update a Microsoft Azure Kubernetes Service (AKS) cluster.
Prerequisites
- Azure CLI, version 2.53.0 or a later version. To find your installed version, run
az --version.
Symptoms
An AKS cluster create or update operation fails and returns the following error message:
Code: CustomPrivateDNSZoneMissingPermissionError
Message: Service principal or user-assigned identity must be given permission to read and write to custom private dns zone <custom-private-dns-zone-resource-id>. Check access result not allowed for action Microsoft.Network/privateDnsZones/read.
Cause
Before AKS runs a cluster create or update operation for a private cluster that uses a custom private DNS zone, it checks whether the cluster's managed identity or service principal has the required permissions to control the private DNS zone. If AKS doesn't find the necessary permissions, it blocks the operation so that the cluster doesn't enter a failed state.
Solution
To create the missing role assignment, follow these steps:
Get the resource ID of the cluster's private DNS zone by running the az aks show command, and store it as the
CUSTOM_PRIVATE_DNS_ZONE_IDvariable:CUSTOM_PRIVATE_DNS_ZONE_ID=$(az aks show \ --resource-group <aks-resource-group> \ --name <aks-cluster-name> \ --query apiServerAccessProfile.privateDnsZone \ --output tsv)Note
Because the resource ID of the custom private DNS zone was also shown in the original error message, you can alternatively assign that resource ID to the variable instead of running the
az aks showcommand.Assign the Private DNS Zone Contributor role to the cluster's managed identity or service principal by running the az role assignment create command:
az role assignment create --role "Private DNS Zone Contributor" \ --scope $CUSTOM_PRIVATE_DNS_ZONE_ID \ --assignee <control-plane-principal-id>
Note
It can take up to 60 minutes to finish granting permissions to your cluster's managed identity or service principal.
Contact us for help
If you have questions, you can ask Azure community support. You can also submit product feedback to Azure feedback community.