How to enable Azure Kubernetes Service (AKS) to pull images from an Azure Container Registry (ACR) located in a different Azure AD tenant?

Question

I have an Azure Kubernetes Service (AKS) cluster hosted in one Azure AD tenant and an Azure Container Registry (ACR) hosted in another Azure AD tenant. The ACR is secured using a service principal, and the AKS cluster uses a managed identity. I need to configure the AKS cluster to pull container images from the ACR securely. What is the best approach to set up cross-tenant authentication and authorization between the AKS cluster and the ACR?

Here are the specific requirements and constraints:

1. The ACR is located in Azure AD Tenant A, and the AKS cluster is hosted in Azure AD Tenant B.
2. A service principal exists in Tenant A, which is used to secure the ACR.
3. A managed identity exists in Tenant B, which is associated with the AKS cluster.
4. The AKS cluster needs to be configured to authenticate with the ACR using its managed identity.

I've researched options like Azure RBAC, Azure AD B2B collaboration, and managed identities, but I'm unsure of the best approach to implement this configuration. Can someone provide guidance or a step-by-step solution to achieve this?

Any help or insights would be greatly appreciated. Thank you!

I've done some research, but i can't find any information if this is possible from a tenant in managed Identity and another with a Service principal.

Answer 1

To enable Azure Kubernetes Service (AKS) to pull images from an Azure Container Registry (ACR) located in a different Azure AD tenant, you can use a service principal to authenticate with the ACR and configure the AKS cluster to use the service principal credentials. Here are the steps to set up cross-tenant authentication and authorization between the AKS cluster and the ACR:

1. Create a new multitenant app (service principal) in Tenant A. Step 1: Create multitenant Microsoft Entra application

a. Sign in to the Azure portal in Tenant A.

b. Search for and select Microsoft Entra ID.

c. Under Manage, select App registrations > + New registration.

d. In Supported account types, select Accounts in any organizational directory.

e. Select Register. On the Overview page, take note of the Application (client) ID. It will be used in Step 4.

In Certificates & secrets, under Client secrets, select + New client secret. Enter a Description and tenure and select Add. Take note of the value of the client secret. You use it to update the AKS cluster's service principal.

3. Provision the app in Tenant B.
4. Configure the service principal to pull from the registry in Tenant B. Open the following link using an admin account in Tenant B. Where indicated, insert the ID of Tenant B and the application ID (client ID) of the multitenant app.

https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Multitenant application ID>&response_type=code&redirect_uri=<redirect url>

Select Consent on behalf of your organization and then Accept.

5. Update the AKS cluster in Tenant B to authenticate using the new service principal. In Tenant B, assign the AcrPull role to the service principal, scoped to the target container registry.

Use the multitenant application (client) ID and client secret collected in Step 1 to update the AKS service principal credential.

az aks update-credentials --resource-group myResourceGroup --name myAKSCluster --reset-service-principal --service-principal "$SP_ID" --client-secret "${SP_SECRET}"

You need at least the Contributor role in the AKS cluster's subscription and the Owner role in the container registry's subscription. For detailed step-by-step instructions, please refer to the Microsoft documentation on how to pull images from a container registry to an AKS cluster in a different Microsoft Entra tenant.

References:

• Pull images from a container registry to an AKS cluster in a different Microsoft Entra tenant
• Azure Container Registry authentication with service principals
• Authenticate with Azure Container Registry (ACR) from Azure Kubernetes Service (AKS)