Integrate ACR with AKS created using User Managed Identiy

Ankit Rathod 371 Reputation points
2021-08-17T14:18:08.287+00:00

I have created AKS Private Cluster using User Managed Identity.

And I have created ACR Separately which is created Publicly.

I want to Integrate ACR with my Private AKS cluster, I'm not sure which command to use ??

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
398 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,877 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,665 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SRIJIT-BOSE-MSFT 4,331 Reputation points Microsoft Employee
    2021-08-18T01:27:23.79+00:00

    @Ankit Rathod , Thank you for your question.

    If you are using Azure CLI:

    Integrate an existing ACR with existing AKS clusters by supplying valid values for acr-name or acr-resource-id as below. 

    az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

    or, 

    az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id>
    Running az aks update --attach-acr uses the permissions of the user running the command to create the role ACR assignment. This role is assigned to the kubelet managed identity. For more information on the AKS managed identities, see Summary of managed identities.

    If you are using Azure PowerShell:

    Integrate an existing ACR with existing AKS clusters by supplying valid values for acr-name as below. 

    Set-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup -AcrNameToAttach <acr-name>
    Running Set-AzAksCluster -AcrNameToAttach uses the permissions of the user running the command to create the role ACR assignment. This role is assigned to the kubelet managed identity. For more information on the AKS managed identities, see Summary of managed identities.

    For more information please check this section.

    ----------

    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    0 comments
  2. Ankit Rathod 371 Reputation points
    2021-08-18T04:51:52.113+00:00

    Thanks for your response,

    But I'm still not able to understand what is the actual command to attach ACR(already created Manually) with Private AKS(already Created using Azure User Managed Identity) ??

    as the above commands does not work ...

  3. Ankit Rathod 371 Reputation points
    2021-08-18T06:56:22.533+00:00

    Im Running the below command. in powershell,

    $kubletIdentityObjectId = az aks show --resource-group <rg_name> --name <Cluster_name> --qurey identityprofile.kubeletidentity.objectId --out tsv

    $azureContainerRegistryId = az acr show --resource-group <rg_name> --name <CR_Name> --qurey id --out tsv

    az role assignment create --role acrpull --assignee-object-id $kubletIdentityObjectId --scope $azureContainerRegistryId

    It gives the below error

    ![124185-image.png]1

    0 comments