az aks get-credentials: kubeconfig for CI
az aks get-credentials writes an AKS cluster context into kubeconfig so kubectl can reach it.
Before kubectl apply in a pipeline you fetch credentials. With AAD-integrated clusters the non-interactive token flow needs a little setup to avoid a browser prompt.
What it does
az aks get-credentials downloads the cluster connection details and merges them into ~/.kube/config (or --file). For AAD-enabled clusters the context uses the kubelogin exec plugin, which must obtain a non-interactive token in CI.
Common usage
az aks get-credentials \
--resource-group rg-app --name aks-ci --overwrite-existing
# convert the context to a non-interactive token flow
kubelogin convert-kubeconfig -l azurecli
kubectl get nodesSubcommands and flags
| Flag | What it does |
|---|---|
| --resource-group, -g | Resource group of the cluster |
| --name, -n | Cluster name |
| --overwrite-existing | Replace a stale context of the same name |
| --file <path> | Write to a specific kubeconfig file |
| --admin | Fetch local admin creds (disabled on AAD-only clusters) |
In CI
After azure/login with OIDC, run kubelogin convert-kubeconfig -l azurecli so kubectl reuses the CLI token instead of opening a browser. --admin bypasses AAD but is blocked when local accounts are disabled, which is the secure default.
Common errors in CI
"To sign in, use a web browser to open the page https://microsoft.com/devicelogin" means kubectl tried interactive AAD auth; run kubelogin convert-kubeconfig -l azurecli first. "exec: kubelogin: executable file not found" means kubelogin is not installed on the runner. "Error from server (Forbidden)" means the identity has no Kubernetes RBAC role on the cluster.