Back to SSO guides

Azure AKS kubelogin

Use Azure AKS kubelogin with K8Studio

This guide shows how K8Studio connects to AKS when authentication is handled by Microsoft Entra ID, Azure CLI, and kubelogin. The same kubeconfig should work in kubectl and K8Studio.

Important behavior

K8Studio should run the kubeconfig exec command exactly like kubectl. For AKS that means calling kubelogin, which uses the Azure CLI login cache to request a short-lived Kubernetes token.

Download setup script
1

Confirm the AKS identity model

AKS SSO is normally backed by Microsoft Entra ID. The kubeconfig uses an exec credential plugin, kubelogin, to request a short-lived token for the signed-in Azure user.

2

Install Azure CLI and kubelogin

K8Studio follows the same kubeconfig exec flow as kubectl, so both az and kubelogin need to be available on the workstation.

# macOS
brew install azure-cli
brew install Azure/kubelogin/kubelogin

az version
kubelogin --version
3

Login to Azure

Run the Azure login and choose the account that should access AKS. If your organization uses Microsoft Entra SSO, the browser flow happens here.

az login
az account show --output table
4

Select the right subscription

Make sure the active subscription is the one that contains your AKS cluster or your free-credit lab account.

az account list --output table
az account set --subscription <subscription-id>
5

Create a resource group

For a disposable lab, keep every AKS resource in a dedicated resource group. Destroying the group later removes the cluster, node resource group, load balancer, IPs, and disks.

az group create \
  --name k8studio-auth-aks-rg \
  --location eastus \
  --tags Owner=K8Studio Project=auth-lab AutoDelete=true
6

Create an Entra-backed AKS cluster

Create a small AKS cluster with Microsoft Entra ID and Azure RBAC enabled. The AKS management tier can be free, but the node VM still costs money while it runs.

az aks create \
  --resource-group k8studio-auth-aks-rg \
  --name k8studio-auth-aks \
  --node-count 1 \
  --node-vm-size Standard_D2s_v7 \
  --enable-aad \
  --enable-azure-rbac \
  --tier free \
  --generate-ssh-keys \
  --tags Owner=K8Studio Project=auth-lab AutoDelete=true
7

Grant your user AKS RBAC access

With Azure RBAC enabled, the signed-in user needs an Azure role assignment scoped to the AKS cluster. Use a narrower role for production; cluster admin is convenient for a temporary lab.

AKS_ID=$(az aks show \
  --resource-group k8studio-auth-aks-rg \
  --name k8studio-auth-aks \
  --query id \
  --output tsv)

USER_ID=$(az ad signed-in-user show --query id --output tsv)

az role assignment create \
  --assignee-object-id "$USER_ID" \
  --assignee-principal-type User \
  --role "Azure Kubernetes Service RBAC Cluster Admin" \
  --scope "$AKS_ID"
8

Generate the AKS kubeconfig

Fetch the user kubeconfig. For Entra-backed AKS clusters, Azure CLI writes an exec-auth kubeconfig that can be converted for kubelogin.

az aks get-credentials \
  --resource-group k8studio-auth-aks-rg \
  --name k8studio-auth-aks \
  --file ~/.kube/k8studio-auth-aks.yaml \
  --overwrite-existing
9

Convert the kubeconfig for kubelogin

Convert the kubeconfig to use Azure CLI-backed kubelogin. This means kubelogin reads the Azure CLI login cache and returns the Kubernetes token.

kubelogin convert-kubeconfig \
  -l azurecli \
  --kubeconfig ~/.kube/k8studio-auth-aks.yaml
10

Check the exec plugin entry

Confirm the kubeconfig user runs kubelogin. This is the exact auth path K8Studio should execute.

KUBECONFIG=~/.kube/k8studio-auth-aks.yaml kubectl config view --minify --raw

# Expected user entry:
# users:
# - name: clusterUser_<resource-group>_<cluster>
#   user:
#     exec:
#       command: kubelogin
#       args:
#         - get-token
#         - --login
#         - azurecli
11

Verify with kubectl

Before opening K8Studio, verify that kubectl can authenticate and authorize using the same kubeconfig.

KUBECONFIG=~/.kube/k8studio-auth-aks.yaml kubectl get nodes
KUBECONFIG=~/.kube/k8studio-auth-aks.yaml kubectl auth can-i get pods --all-namespaces
12

Add the kubeconfig to K8Studio

Open K8Studio, add the kubeconfig file or refresh the cluster list, select the AKS context, and connect. K8Studio should run kubelogin through the kubeconfig exec plugin.

13

Test logged-out and expired-token states

Clear the Azure CLI session and reconnect. K8Studio should show a clear authentication state when kubelogin cannot get a valid Azure token.

az logout

# Login again when you want to reconnect:
az login
14

Destroy the lab to stop charges

AKS worker nodes, disks, load balancers, and public IPs consume Azure credits. Delete the resource group when testing is finished.

az group delete \
  --name k8studio-auth-aks-rg \
  --yes

Screenshots to add

Azure browser login

Screenshot placeholder

AKS cluster overview in Azure Portal

Screenshot placeholder

Azure role assignment for AKS RBAC

Screenshot placeholder

Kubeconfig exec user using kubelogin

Screenshot placeholder

Successful AKS cluster view in K8Studio

Screenshot placeholder

K8Studio error state when kubelogin or Azure login is missing

Screenshot placeholder