How to allow AKS Cluster access to Azure Container Registry: issues with ACR role assignment

Question

I am following Kubeflow's End-to-End Pipeline Example on Azure tutorial and am stuck on how to allow the AKS Cluster access the Azure Container Registry.

I have up to that point:

1. Created a resource group;
2. Created a Machine Learning Studio Workspace;
3. Created an Azure container registry;
4. Created a cluster in Kubernetes service;

All of those have been created within the same Resource Group, under the same subscription.

I than ran the following code in bash:

az aks update -n <myAKSCluster> -g <MyResourceGroup> --attach-acr <REGISTRY_NAME>

And got the following output:

Waiting for AAD role to propagate[################################    ]  90.0000%Could not create a role assignment for ACR. Are you an Owner on this subscription?

I made sure to not only enable "Admin User" for my ACR, but also assigned a contributor role. I double checked all of the resources I have created, and all have the Owner role enabled; again, all within my subscription.

I do not understand what the issue might be. If it's an authentication issue with my ACR, then I am failing to identify the parameter that needs enabling.

Answer 1

Hello @HP-Nunes ,
Thanks for reaching out to Microsoft Q&A.
There is a detailed discussion with multiple alternative options mentioned in the below article:
https://github.com/Azure/AKS/issues/1517

Summarizing couple of options here:

1) Start a fresh window and start with az login
2) Try to delete the cached file : ~/.azure/aksServicePrincipal.json
3) If you are using Service Principle try to assign acrpull permissions using below command :
az role assignment create --assignee-object-id $SERVICE_PRINCIPAL_OBJECT_ID --scope $ACR_REGISTRY_ID --role acrpull
4) A better alternative is to use a Managed Identity for AKS
https://learn.microsoft.com/en-us/azure/aks/use-managed-identity

Kindly go through , let us know if any of those steps helps out in resolving your issue.

Regards,
Shiva.