DEVHIDE
Login Or Sign up

Permission to attach AKS to ACR without subscription level role?

264 Views Asked by At

I have created a user with contributor role to specific resource group and owner role to an ACR and an AKS cluster which are both in that resource group.

In spite of this when the user tries to attach the ACR to the cluster with this command az aks update -n (cluster name) -g (resource group) --attach-acr (acr name)

It returns this error: The client [email protected]' with object id xxxxx' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/xxxx/resourceGroup/xxxxxxx/providers/Microsoft.ContainerService/managedClusters/xxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have read about a solution to make the user subscription contributor, but I do not want the user to have visibility to anything that is not in the specific resource group.

It is also confusing since the user can view the AKS cluster in the portal, authenticate and view and deploy objects in the cluster.

Any way to accomplish this?

azure-active-directory azure-functions azure-aks azure-cli azure-acr
Original Q&A
1

There are 1 best solutions below

0
On

This error message indicates that the user or service principal specified in the command does not have the necessary permissions to perform the Microsoft.ContainerService/managedClusters/read action on the specified AKS cluster. This could be due to a lack of permissions at the subscription, resource group, or AKS cluster level.

You can fix it by verifying few things- First go to the resource group under which you have created your cluster and container. Let's say for example jhurtas-rg, under that on the left hand side you will see IAM enter image description here

First check what all access you have already assigned to yourself under view my access. Usually, contributor access is the one which works. enter image description here

Note that this same access should reflect in your cluster and container. You can verify those same way as above under IAM of each resource. If all of them have contributor role enabled, then attaching the acr to your cluster won't be a problem. If at all you don't have the permission, add it by clicking on add roles- > role assignment-> add this additional role called aks contributor. enter image description here

Remember this has to reflect in acr and your cluster as well. Now You try to attach your acr you will see it works

enter image description here

and can pull images stored in your acr repository enter image description here

enter image description here

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in AZURE-FUNCTIONS

Related Questions in AZURE-AKS

Related Questions in AZURE-CLI

Related Questions in AZURE-ACR

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.