Using AKS kubectl (kubelogin) on headless systems or pipelines

A challenge we had recently is to use kubectl with kubelogin on non-interactive systems like pipelines (where also device-login is no option). The background is that local users on Azure Kubernetes Clusters should be disabled (which is a great thing).

Why is this an issue?

Typically, when you use kubelogin (mostly through kubectl), you are authenticating interactively or through device-login (on the first time). Having done this once kubelogin stores the refreshToken (and accessToken) in a file in the .kube directory tree.

If you are running on an automated system like a pipeline, you don't want the process to be interrupted and use technical users (realized through service-principals) to achieve the goal.

How to avoid the prompts?

The solution is fairly easy - kubelogin can be controlled throug ENV vars and use other login methods. The one we are searching for is spn.

AAD_SERVICE_PRINCIPAL_CLIENT_ID=<SP_ID>
AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<SP_TOKEN>
AAD_LOGIN_METHOD=spn
AZURE_TENANT_ID=<TENANT_ID>

Configure these settings and kubelogin will authenticate without any interruption or similar. Easy win.