Azure-docs: Authenticate with ACR from AKS via ARM Templates

Created on 25 Sep 2019 · 10Comments · Source: MicrosoftDocs/azure-docs

Is it possible to hook up AKS to an Azure Container Registry using an ARM template? I don't see anything similar to the --attach-acr command in the AKS ARM template schema.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 9180e07f-236a-20b4-1c38-66a1bad9c73d
Version Independent ID: 148ae764-76b7-da53-a897-b865e722946f
Content: Integrate Azure Container Registry with Azure Kubernetes Service
Content Source: articles/aks/cluster-container-registry-integration.md
Service: container-service
GitHub Login: @mlearned
Microsoft Alias: mlearned

Pri1 container-servicsvc cxp in-progress product-question triaged

Source

RehanSaeed

All 10 comments

Thanks for the feedback! We are currently investigating and will update you shortly.

mimckitt on 25 Sep 2019

👍1

@MicrosoftDocs/aks-pm @mlearned do we have any examples of how to achieve this via ARM? I took a look but I am also not finding much.

mimckitt on 25 Sep 2019

Cannot be done in an ARM template because this is a CLI client side change only. We enabled this in the CLI for customers who find it hard to understand ARM RBAC. The simple implementation behind the scenes is a specifically a simple role assignment allowing AKS to access ACR.

sauryadas on 25 Sep 2019

Thanks for confirming @sauryadas that is what I figured but wanted to check :)

@RehanSaeed I will go ahead close this out but if you have further questions just let us know.

mimckitt on 25 Sep 2019

Is there an example somewhere that shows what role assignments is done?

AlexanderViken on 31 Jan 2020

You need to use kubelet identity to do role assignment

"kubeletPrincipalId": { "value": "[reference(variables('clusterResourceId'), '2020-03-01').identityProfile.kubeletidentity.objectId]" }


        {
            "type": "Microsoft.ContainerRegistry/registries/providers/roleAssignments",
            "apiVersion": "2018-09-01-preview",
            "name": "[concat(parameters('acrName'), '/Microsoft.Authorization/', guid(parameters('acrName')))]",
            "properties": {
                "roleDefinitionId": "[variables('AcrPullRole')]",
                "principalId": "[parameters('kubeletPrincipalId')]"
            }
        }

iqsarv on 14 Jul 2020

@iqsarv Can you share what is in variables('AcrPullRole') or an expanded template

awaemmanuel on 25 Aug 2020

"variables": {
"AcrPullRole" : "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]"
}

iqsarv on 25 Aug 2020

👍1

@iqsarv

Thanks a lot for your response.

"variables": {
"AcrPullRole" : "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]"
}

Is 7f951dda-4ed3-4680-a7ca-43fe172d538d the tenantId or applies to any deployment

awaemmanuel on 25 Aug 2020

@iqsarv Thanks I found it - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#acrpull

awaemmanuel on 25 Aug 2020

Was this page helpful?

0 / 5 - 0 ratings