1

I created Azure Container Registry (ACR) and now need to create Managed Cluster (AKS). When we use Azure Portal or Azure CLI, we can integrate existing ACR. In Pulumi Azure Native, ManagedClusterArgs does not have any property to accept existing ACR.

How to attach already created ACR when creating Managed Cluster?

Or assigning AcrPull role to the automatically created User Assigned Managed Identity (<clsuter-name>-agentpool) will achieve the same?

MD TAREQ HASSAN
  • 1,188
  • 20
  • 46

1 Answers1

4

Yes, you need to assign AcrPull role to managed identity of the cluster (VMSS).

(make sure that the Service Principal used by Pulumi CLI has User Access Administrator role, otherwise Pulumi would not be able to create role assignment)

Here is an example using a system-assigned managed identity in TypeScript:

const cluster = new containerservice.ManagedCluster("managedCluster", {
    // ...
    identity: {
        type: "SystemAssigned",
    },
});

const creds = containerservice.listManagedClusterUserCredentialsOutput({
    resourceGroupName: resourceGroup.name,
    resourceName: cluster.name,
});

const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);

// const registry = ...
// const subscriptionId = ...

const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
    properties: {
        principalId: principalId,
        roleDefinitionId: roleDefinitionId,
    },
    scope: registry.id,
});

C#:

// var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });

var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
    var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
    return vmssManagedIdentityProfile.ObjectId;
});

var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
    
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
    PrincipalId = vmssManagedIdentityPrincipalId!,
    PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
    RoleDefinitionId = acrPullRoleDefinitionId,
    Scope = mainAcr.Id,
});

For built-in role ids: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Mikhail Shilkov
  • 34,128
  • 3
  • 68
  • 107
  • How to get `cluster.principalId` in C#? and is this `cluster.principalId` same as managed identity used Master Plane (API Server)? when we use Azure Portal, `-agentpool` (user assigned managed identity) gets the `AcrPull` role – MD TAREQ HASSAN Nov 08 '21 at 16:02
  • Good question - I expanded my example to highlight the managed identity part – Mikhail Shilkov Nov 09 '21 at 14:02