For a registered controller, juju debug-hook will fail for CAAS model.
Because the user doesn't have the permission to get the model credential to exec into the pod/container.
$ juju debug-hook --debug -m ckkf:fae8dc2b-c6f2-47ac-8890-b58d4de98a80 istio-ingressgateway/0 config-changed
15:24:41 INFO juju.cmd supercommand.go:56 running juju [2.9-rc3 0 3ddbc4de92c48453f5923013a836deef7edbd729 gc go1.14.11]
15:24:41 DEBUG juju.cmd supercommand.go:57 args: []string{"juju", "debug-hook", "--debug", "-m", "ckkf:fae8dc2b-c6f2-47ac-8890-b58d4de98a80", "istio-ingressgateway/0", "config-changed"}
15:24:41 INFO juju.juju api.go:76 connecting to API addresses: [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:42 DEBUG juju.api apiclient.go:1107 successfully dialed "wss://52.207.222.155:17070/model/fae8dc2b-c6f2-47ac-8890-b58d4de98a80/api"
15:24:42 INFO juju.api apiclient.go:639 connection established to "wss://52.207.222.155:17070/model/fae8dc2b-c6f2-47ac-8890-b58d4de98a80/api"
15:24:42 INFO juju.juju api.go:314 API endpoints changed from [52.207.222.155:17070 252.35.123.1:17070 172.31.35.123:17070] to [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:43 INFO juju.juju api.go:76 connecting to API addresses: [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:44 DEBUG juju.api apiclient.go:1107 successfully dialed "wss://52.207.222.155:17070/api"
15:24:44 INFO juju.api apiclient.go:639 connection established to "wss://52.207.222.155:17070/api"
15:24:44 INFO juju.juju api.go:314 API endpoints changed from [252.35.123.1:17070 52.207.222.155:17070 172.31.35.123:17070] to [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:45 DEBUG juju.api monitor.go:35 RPC connection died
ERROR getting credential: cloud credential "ckkf/kelvin/ckkf" not found
15:24:45 DEBUG cmd supercommand.go:537 error stack:
cloud credential "ckkf/kelvin/ckkf" not found
github.com/juju/juju/cmd/juju/commands/ssh_container.go:313: getting credential
github.com/juju/juju/cmd/juju/commands/ssh_container.go:121:
github.com/juju/juju/cmd/juju/commands/ssh.go:172:
If you have 'write' permission on a model, we should be generating a credential for the user that includes Exec permissions.