Problem with --subscription parameter in AKS Virtual-Kubelet #9777
Description
CLI version 2.0.65
Issue is not specific with version
Describe the bug
It seems that a problem happens using the --subscription parameter to find the AKS Cluster in another subscription (Also, this parameter doesn't appear in the docs but shows on az aks install-connector -h).
The issue is, if my cluster is in the subscription ABC and my current az context is set to subscription XYZ
If i run the command:
az aks install-connector --resource-group my-aks-rg --name my-aks --connector-name my-connector --subscription ABC --os-type Both
The deployment runs just fine, everything get created on the cluster, but in the pod configuration it shows:
- name: AZURE_SUBSCRIPTION_ID
value: XYZ
Because of this, when creating a deploy in this virtual-node I get the error:
api call to https://management.azure.com/subscriptions/XYZ/resourceGroups/MC_my-cluster-rg/providers/Microsoft.ContainerInstance/containerGroups/default-data-trust-telefone-8b56bdff5-xkmnq?api-version=2018-10-01: got HTTP response status code 403 error code "AuthorizationFailed": The client '***' with object id '***' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/write' over scope '/subscriptions/XYZ/resourceGroups/MC_my-cluster-rg/providers/Microsoft.ContainerInstance/containerGroups/default-data-trust-telefone-8b56bdff5-xkmnq'.
Expected behavior
When providing the --subscription flag the value of the Environment Variable AZURE_SUBSCRIPTION_ID should be the same and not be using the subscription from az context
Environment summary
Installed on Windows 10. Used in powershell
Additional context
Subscription is passed to helm by the CLI. Then helm adds that subscription value to the pod Environment value.