{"id":34154213,"url":"https://github.com/weinong/kubectl-aad-login","last_synced_at":"2026-03-09T21:04:21.610Z","repository":{"id":57519381,"uuid":"240143145","full_name":"weinong/kubectl-aad-login","owner":"weinong","description":"a kubectl plugin to support Azure Kubernetes Service AAD feature","archived":false,"fork":false,"pushed_at":"2020-02-22T02:27:28.000Z","size":53,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-17T22:02:47.472Z","etag":null,"topics":["aad","aks","aks-kubernetes-cluster","azure-kubernetes-service","kubectl"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/weinong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-13T00:20:32.000Z","updated_at":"2023-03-22T03:05:53.000Z","dependencies_parsed_at":"2022-08-29T23:41:13.861Z","dependency_job_id":null,"html_url":"https://github.com/weinong/kubectl-aad-login","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/weinong/kubectl-aad-login","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weinong%2Fkubectl-aad-login","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weinong%2Fkubectl-aad-login/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weinong%2Fkubectl-aad-login/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weinong%2Fkubectl-aad-login/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/weinong","download_url":"https://codeload.github.com/weinong/kubectl-aad-login/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/weinong%2Fkubectl-aad-login/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30312141,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T20:05:46.299Z","status":"ssl_error","status_checked_at":"2026-03-09T19:57:04.425Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aad","aks","aks-kubernetes-cluster","azure-kubernetes-service","kubectl"],"created_at":"2025-12-15T06:03:21.651Z","updated_at":"2026-03-09T21:04:21.605Z","avatar_url":"https://github.com/weinong.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Build on Push](https://github.com/weinong/kubectl-aad-login/workflows/Build%20on%20Push/badge.svg?branch=master)\n\n# kubectl-aad-login\nIt is a [kubectl plugin](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) supporting various OAuth login flows on Azure AD which are not currently supported in `kubectl`. \nIt populates the kubeconfig file with acquired AAD token. It will refresh access token when the access token has expired.\nCurrently, it supports:\n* device code flow with fix to https://github.com/kubernetes/kubernetes/issues/86410 such that `audience` claim does not have `spn:` prefix (supports AKS AADv1 and v2, this change is required for AKS AADv2 unless you are on kubectl versions TBD...)\n* non-interactive login using service principal credential (supports AKS AADv2 only)\n* non-interactive login using user principal credential (supports AKS AADv1 and v2)\n\nThe environment being tested is AKS AAD and AKS AADv2 (public preview in March 2020)\n\n## Install\nGo to https://github.com/weinong/kubectl-aad-login/releases to download pre-built plugins.\n\nCopy out the binary to directory under search path\n\n## Build\n```sh\nGO111MODULE=\"on\" go build cmd/kubectl-aad-login.go\nmv kubectl-aad-login /path/to/go/bin\n```\n\n## How to use\n\n### Device code flow\nIt's similar to current kubectl implementation except that the resulting AAD token will have proper `audience` claim with \"spn:\" prefix\nIt addresses https://github.com/kubernetes/kubernetes/issues/86410\n\n```sh\nkubectl aad login\n```\n\n### Service Principal login\nnon-interactive login using service principal credential\n\n\u003e Note: it will only work on AKS AAD v2\n\n```sh\nexport AAD_SERVICE_PRINCIPAL_CLIENT_ID=\u003cService-Principal-Client-ID\u003e\nexport AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=\u003cService-Principal-Client-Secret\u003e\n\nkubectl aad login --service-principal\n```\n\n### User Principal login\nnon-interactive login using user principal credential. It uses [Resource Owner Password Credential flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) \n\n\u003e Note: ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.\n\u003e It also does not work when MFA policy is enabled\n\u003e Personal accounts that are invited to an Azure AD tenant can't use ROPC.\n\n```sh\nexport AAD_USER_PRINCIPAL_USERNAME=foo@bar.com\nexport AAD_USER_PRINCIPAL_PASSWORD=\u003cpassword\u003e\n\nkubectl aad login --user-principal\n```\n\n### force refresh\n\nAppend `--force` to disregard refresh token and always initiates login flow\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fweinong%2Fkubectl-aad-login","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fweinong%2Fkubectl-aad-login","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fweinong%2Fkubectl-aad-login/lists"}