Skip to content
Latchkey

az aks get-credentials: kubeconfig for CI

az aks get-credentials writes an AKS cluster context into kubeconfig so kubectl can reach it.

Before kubectl apply in a pipeline you fetch credentials. With AAD-integrated clusters the non-interactive token flow needs a little setup to avoid a browser prompt.

What it does

az aks get-credentials downloads the cluster connection details and merges them into ~/.kube/config (or --file). For AAD-enabled clusters the context uses the kubelogin exec plugin, which must obtain a non-interactive token in CI.

Common usage

Terminal
az aks get-credentials \
  --resource-group rg-app --name aks-ci --overwrite-existing
# convert the context to a non-interactive token flow
kubelogin convert-kubeconfig -l azurecli
kubectl get nodes

Subcommands and flags

FlagWhat it does
--resource-group, -gResource group of the cluster
--name, -nCluster name
--overwrite-existingReplace a stale context of the same name
--file <path>Write to a specific kubeconfig file
--adminFetch local admin creds (disabled on AAD-only clusters)

In CI

After azure/login with OIDC, run kubelogin convert-kubeconfig -l azurecli so kubectl reuses the CLI token instead of opening a browser. --admin bypasses AAD but is blocked when local accounts are disabled, which is the secure default.

Common errors in CI

"To sign in, use a web browser to open the page https://microsoft.com/devicelogin" means kubectl tried interactive AAD auth; run kubelogin convert-kubeconfig -l azurecli first. "exec: kubelogin: executable file not found" means kubelogin is not installed on the runner. "Error from server (Forbidden)" means the identity has no Kubernetes RBAC role on the cluster.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →