Troubleshooting
Fix: Azure Cosmos DB Account Name Already Taken
Fix Azure Cosmos DB global name conflicts in Terraform. Handle unique naming, DNS resolution, and account restoration after soft deletion.
2 min read
Troubleshooting
Fix: Azure AKS Cluster - ServicePrincipalNotFound
Fix Azure AKS service principal errors in Terraform. Covers expired credentials, managed identity migration, RBAC configuration, and SP recreation.
LLuca Berton1 min read
Quick Answer
#The service principal specified for AKS doesn't exist, has expired credentials, or has been deleted from Azure AD. Use a managed identity (recommended) instead of a service principal, or recreate the SP with valid credentials.
The Error
#Error: creating AKS Cluster "prod-aks":
ServicePrincipalNotFound: Service principal 'xxx-xxx-xxx' not found
in Active Directory tenant 'yyy-yyy-yyy'.Error: updating AKS Cluster:
ServicePrincipalExpiredCredential: The service principal client secret
has expired.What Causes This Error
#- Service principal deleted from Azure AD while AKS still references it
- SP credentials expired — client secrets have a configurable expiry (1-2 years default)
- Wrong SP client ID — typo or wrong environment's SP
- Azure AD propagation delay — SP just created, hasn't propagated yet (wait 30-60 seconds)
How to Fix It
#Solution 1: Use Managed Identity (Recommended)
#resource "azurerm_kubernetes_cluster" "main" {
name = "${var.project}-${var.environment}-aks"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "${var.project}-${var.environment}"
default_node_pool {
name = "system"
node_count = 2
vm_size = "Standard_D2s_v5"
}
# Use managed identity instead of service principal
identity {
type = "SystemAssigned"
}
}Solution 2: Create a New Service Principal
## Create new SP
az ad sp create-for-rbac --name "aks-${PROJECT}-${ENV}" \
--role Contributor \
--scopes "/subscriptions/${SUB_ID}/resourceGroups/${RG_NAME}" \
--years 3
# Use in Terraformresource "azurerm_kubernetes_cluster" "main" {
# ...
service_principal {
client_id = var.aks_sp_client_id
client_secret = var.aks_sp_client_secret
}
}Solution 3: Reset Expired Credentials
## Reset credentials for existing SP
az ad sp credential reset --id $AKS_SP_CLIENT_ID --years 2
# Update Terraform variables with new secretSolution 4: Migrate from SP to Managed Identity
## Update existing cluster to use managed identity
az aks update -g my-rg -n my-aks --enable-managed-identity
# Then update Terraform config to matchTroubleshooting Checklist
#- ✅ Does the service principal exist? (
az ad sp show --id $CLIENT_ID) - ✅ Are credentials expired? (
az ad sp credential list --id $CLIENT_ID) - ✅ Can you switch to managed identity?
- ✅ Is the SP client ID correct for this environment?
Prevention Tips
#- Use managed identity over service principal — no credential rotation needed
- Set credential expiry alerts if you must use SPs
- Automate credential rotation before expiry
- Use separate SPs per environment — don't share across dev/prod
Related Articles
#Conclusion
#AKS ServicePrincipalNotFound errors mean the SP is deleted or expired. The best fix is to migrate to managed identity — it eliminates credential management entirely. If you must use SPs, automate credential rotation and monitor expiry dates.
#Terraform#Azure#Troubleshooting#Error Fix
Related articles
Troubleshooting
Fix: Azure Container Registry SKU Upgrade Required
Fix Azure Container Registry SKU errors in Terraform. Covers feature availability per tier, geo-replication, private endpoints, and in-place upgrades.
2 min read
Troubleshooting
Fix Terraform Error - Azure Virtual Network Subnet In Use
Fix Azure subnet in use errors when modifying VNets in Terraform. Covers resource dependencies, NSG dissociation, delegation conflicts, and force deletion.
2 min read
Troubleshooting
Fix Terraform Error - Azure Resource Group Not Found
Resolve Azure resource group not found errors in Terraform. Fix subscription context, naming issues, and dependency ordering for Azure deployments.
2 min read