how to view attached ACR in AKS clusters in Azure

Question

I have tried az aks show and az aks list commands but they don't show the names of the attached ACR's. I ran the command to attach acr using az aks update --attach-acr and it shows thats it attached.

Can I see through the CLI or portal that the acr is in the cluster?

Answer 1

I am afraid you cannot see the attached ACR in the cluster UI portal.

When you attached the ACR to the AKS cluster using az aks update --attach-acr command.

It just assigned the ACR's AcrPull role to the service principal associated to the AKS Cluster. See here for more information.

You can get the service principal which associated to the AKS Cluster by command az aks list

See below screenshot. The AcrPull role was assigned to the service principal associated to the AKS Cluster.

If you want to use Azure CLI to check which ACR is attached to the AKS cluster. You can list all the ACRs. And then loop through the ACRs to check which one has assigned the AcrPull role to the AKS service principal. See below example:

# list all the ACR and get the ACR id
az acr list


az role assignment list --assignee <Aks service principal ID> --scope <ACR ID>

Answer 2

The az aks check-acr command checks if a certain ACR is available from a specific AKS.

You have to provide both the ACR and AKS as argument, so this is not good for discovery.

You can build a small script around this that queries multiple subscriptions for their registered ACRs (you cannot pass multiple subscription argument to az acr list --subscription, you have to query the Subscriptions one-by-one), build an aggregated table of the ACRs then pass those values in a loop to az aks check-acr.

Answer 3

Actually, the parameter --attach-acr in the command just grant the role ACRPull to the service principal of the AKS. There is no difference from before. You only can see the service principal of the AKS. Currently, the CLI command az role assignment list cannot get the ACR directly if you do not know the ACR scope already. But you can get the principal ID first like this:

az aks show --resource-group groupName --name aksName --query identityProfile.kubeletidentity.objectId

And then use the CLI command to get the resource Id of the ACR:

az rest --method get --uri "https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01" --uri-parameters "\$filter=principalId eq 'objectId'" --query "value[0].properties.scope"

If you know the ACR resource Id, I think you know which ACR attached to the AKS clearly.