Azure · VeryEarly · Jun 6, 2022 · May 31, 2022
diff --git a/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs b/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs
@@ -72,5 +72,12 @@ public void TestApiServiceAccess()
         {
             TestRunner.RunTestScript("Test-ApiServiceAccess");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedIdentity()
+        {
+            TestRunner.RunTestScript("Test-ManagedIdentity");
+        }
     }
 }
diff --git a/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1 b/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1
@@ -305,4 +305,45 @@ function Test-ApiServiceAccess
     {
         Remove-AzResourceGroup -Name $resourceGroupName -Force
     }
+}
+
+
+
+function Test-ManagedIdentity
+{
+    # Setup
+    $resourceGroupName = Get-RandomResourceGroupName
+    $userAssignedkubeClusterName = Get-RandomClusterName
+    $systemAssignedkubeClusterName = Get-RandomClusterName
+    $setUserAssignedkubeClusterName = Get-RandomClusterName
+    $location = 'eastus'
+    $nodeVmSize = "Standard_D2_v2"
+
+    try
+    {
+        New-AzResourceGroup -Name $resourceGroupName -Location $location
+
+        $credObject = $(createTestCredential "a6148f60-19b8-49b8-a5a5-54945aec926e" "xde7Q~bVRBoBzggfXn3Zw1uCqzRuLduEFPJXw")
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'UserAssigned' $cluster.identity.Type
+
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject  
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
+        Assert-Null $cluster.identity
+        Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'UserAssigned' $cluster.identity.Type
+
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'SystemAssigned' $cluster.identity.Type
+    }
+    finally
+    {
+        Remove-AzResourceGroup -Name $resourceGroupName -Force
+    }
 }
diff --git a/...t/SessionRecords/Commands.Aks.Test.ScenarioTests.KubernetesTests/TestManagedIdentity.json b/...t/SessionRecords/Commands.Aks.Test.ScenarioTests.KubernetesTests/TestManagedIdentity.json
diff --git a/src/Aks/Aks/ChangeLog.md b/src/Aks/Aks/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added ManagedIdentity support for Aks[#15656].
 * Added property `PowerState` for the output of `Get-AzAksCluster`[#18271]
 * Updated the logic of `Set-AzAksCluster` for parameter `NodeImageOnly`.
 * Added parameter `NodeImageOnly` for `Update-AzAksNodePool`.

diff --git a/src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs b/src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs
@@ -40,6 +40,7 @@
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications;
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
+using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;
 
 namespace Microsoft.Azure.Commands.Aks
 {
@@ -158,6 +159,12 @@ public abstract class CreateOrUpdateKubeBase : KubeCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "The FQDN subdomain of the private cluster with custom private dns zone.")]
         public string FqdnSubdomain { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Using a managed identity to manage cluster resource group.")]
+        public SwitchParameter EnableManagedIdentity { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "ResourceId of user assign managed identity for cluster.")]
+        public string AssignIdentity { get; set; }
+
         protected void BeforeBuildNewCluster()
         {
             if (!string.IsNullOrEmpty(ResourceGroupName) && string.IsNullOrEmpty(Location))
@@ -566,5 +573,45 @@ protected ManagedClusterAPIServerAccessProfile CreateOrUpdateApiServerAccessProf
 
             return apiServerAccessProfile;
         }
+
+        protected ManagedCluster SetIdentity(ManagedCluster cluster)
+        {
+            if (this.IsParameterBound(c => c.EnableManagedIdentity))
+            {
+                if (!EnableManagedIdentity)
+                {
+                    cluster.Identity = null;
+                }
+                else
+                {
+                    if (cluster.Identity == null)
+                    {
+                        cluster.Identity = new ManagedClusterIdentity();
+                    }
+                }
+            }
+            if (this.IsParameterBound(c => c.AssignIdentity))
+            {
+                if (cluster.Identity == null)
+                {
+                    throw new AzPSArgumentException(Resources.NeedEnableManagedIdentity, nameof(AssignIdentity));
+                }
+                cluster.Identity.Type = ResourceIdentityType.UserAssigned;
+                cluster.Identity.UserAssignedIdentities = new Dictionary<string, ManagedClusterIdentityUserAssignedIdentitiesValue>
+                {
+                    { AssignIdentity, new ManagedClusterIdentityUserAssignedIdentitiesValue() }
+                };
+
+            }
+            else
+            {
+                if (cluster.Identity != null && cluster.Identity.Type == null)
+                {
+                    cluster.Identity.Type = ResourceIdentityType.SystemAssigned;
+                }
+            }
+
+            return cluster;
+        }
     }
 }
diff --git a/src/Aks/Aks/Commands/NewAzureRmAks.cs b/src/Aks/Aks/Commands/NewAzureRmAks.cs
@@ -355,6 +355,8 @@ private ManagedCluster BuildNewCluster()
                 networkProfile: networkProfile,
                 apiServerAccessProfile: apiServerAccessProfile);
 
+            SetIdentity(managedCluster);
+
             if (EnableRbac.IsPresent)
             {
                 managedCluster.EnableRBAC = EnableRbac;

diff --git a/src/Aks/Aks/Commands/SetAzureRmAks.cs b/src/Aks/Aks/Commands/SetAzureRmAks.cs
@@ -34,6 +34,8 @@
 using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
+using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;
+
 namespace Microsoft.Azure.Commands.Aks
 {
     [Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AksCluster", DefaultParameterSetName = DefaultParamSet, SupportsShouldProcess = true)]
@@ -378,13 +380,15 @@ public override void ExecuteCmdlet()
                     {
                         cluster.FqdnSubdomain = FqdnSubdomain;
                     }
+                    SetIdentity(cluster);
 
                     var kubeCluster = Client.ManagedClusters.CreateOrUpdate(ResourceGroupName, Name, cluster);
 
                     WriteObject(PSMapper.Instance.Map<PSKubernetesCluster>(kubeCluster));
                 });
             }
         }
+
         private void RemoveAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
         {
             string acrResourceId = null;

diff --git a/src/Aks/Aks/Models/PSManagedClusterIdentity.cs b/src/Aks/Aks/Models/PSManagedClusterIdentity.cs
@@ -53,7 +53,7 @@ public IDictionary<string, PSManagedClusterIdentityUserAssignedIdentitiesValue>
         /// master components and an auto-created user assigned identity in MC_
         /// resource group in agent nodes. Type 'None' will not use MSI for the
         /// managed cluster, service principal will be used instead. Possible
-        /// values include: 'SystemAssigned', 'None'
+        /// values include: 'SystemAssigned', 'None', 'UserAssigned'
         /// </summary>
         public PSResourceIdentityType? Type { get; set; }
     }

diff --git a/src/Aks/Aks/Models/PSResourceIdentityType.cs b/src/Aks/Aks/Models/PSResourceIdentityType.cs
@@ -21,6 +21,9 @@ public enum PSResourceIdentityType
         [EnumMember(Value = "SystemAssigned")]
         SystemAssigned,
 
+        [EnumMember(Value = "UserAssigned")]
+        UserAssigned,
+
         [EnumMember(Value = "None")]
         None
     }

diff --git a/src/Aks/Aks/Properties/Resources.Designer.cs b/src/Aks/Aks/Properties/Resources.Designer.cs
diff --git a/src/Aks/Aks/Properties/Resources.resx b/src/Aks/Aks/Properties/Resources.resx
@@ -453,4 +453,7 @@
   <data name="ExecutingCommandOnCluster" xml:space="preserve">
     <value>Executing command on cluster {0}.</value>
   </data>
+  <data name="NeedEnableManagedIdentity" xml:space="preserve">
+    <value>Please set '-EnableManagedIdentity' first if you want to set 'AssignIdentity'.</value>
+  </data>
 </root>
diff --git a/src/Aks/Aks/help/Get-AzAksUpgradeProfile.md b/src/Aks/Aks/help/Get-AzAksUpgradeProfile.md
@@ -1,5 +1,5 @@
 ---
-external help file:
+external help file: Az.Aks-help.xml
 Module Name: Az.Aks
 online version: https://docs.microsoft.com/powershell/module/az.aks/get-azaksupgradeprofile
 schema: 2.0.0
@@ -15,12 +15,16 @@ Gets the details of the upgrade profile for a managed cluster with a specified r
 ### Get (Default)
 ```
 Get-AzAksUpgradeProfile -ClusterName <String> -ResourceGroupName <String> [-SubscriptionId <String[]>]
- [-DefaultProfile <PSObject>] [<CommonParameters>]
+ [-DefaultProfile <PSObject>] [-Break] [-HttpPipelineAppend <SendAsyncStep[]>]
+ [-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>] [-ProxyCredential <PSCredential>]
+ [-ProxyUseDefaultCredentials] [<CommonParameters>]
 ```
 
 ### GetViaIdentity
 ```
-Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [<CommonParameters>]
+Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [-Break]
+ [-HttpPipelineAppend <SendAsyncStep[]>] [-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>]
+ [-ProxyCredential <PSCredential>] [-ProxyUseDefaultCredentials] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -43,6 +47,21 @@ Get Aks upgrade profile with resource group name and cluster name.
 
 ## PARAMETERS
 
+### -Break
+Wait for .NET debugger to attach
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ClusterName
 The name of the managed cluster resource.
 
@@ -73,6 +92,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -HttpPipelineAppend
+SendAsync Pipeline Steps to be appended to the front of the pipeline
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HttpPipelinePrepend
+SendAsync Pipeline Steps to be prepended to the front of the pipeline
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -InputObject
 Identity Parameter
 To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
@@ -89,6 +138,51 @@ Accept pipeline input: True (ByValue)
 Accept wildcard characters: False
 ```
 
+### -Proxy
+The URI for the proxy server to use
+
+```yaml
+Type: System.Uri
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProxyCredential
+Credentials for a proxy server to use for the remote call
+
+```yaml
+Type: System.Management.Automation.PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProxyUseDefaultCredentials
+Use the default credentials for the proxy
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 The name of the resource group.
 
@@ -153,4 +247,3 @@ INPUTOBJECT <IAksIdentity>: Identity Parameter
   - `[SubscriptionId <String>]`: Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
 
 ## RELATED LINKS
-