How to make sure az kubectl credentials do not expire and kubectl can be run by scripts on production?

To control the Azure Kubernetes service, you need permission to perform the actions. So the core of safety is permission. You can use the service principal with the right permission you need without interaction. So the az login could be changed into this:

az login --service-principal -u service_principal_app_id -p service_principal_secret

To get the credentials to access the cluster, there two permission:

Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role

You can get more details here and decide which to use. You can set the expiry date for the service principal, take a look at another issue.

find below recommendations

1. It is perfectly fine to use those commands
2. Instead of individual id, suggest you use service principal and secret to login to azure

az aks get-credentials basically generates a kubernetes config file for you in ~/.kube/config which includes cluster information and a client certificate to access the kubernetes api server. kubectl uses this configuration file by default.

You can also use a different config file location. If your script has access to this config file, it should just work.