[英]Attach Azure Kubernetes Service (AKS) to Azure Container Registry (ACR) without being Subscription Owner
I'm deploying AKS via ARM template and Azure DevOps pipeline and want to automate attachment to ACR我正在通过 ARM 模板和 Azure DevOps 管道部署 AKS,并希望自动连接到 ACR
To do so I need to execute az aks update --name $(clusterName) --resource-group $(rgName) --attach-acr $(containerRegistryName)
为此,我需要执行
az aks update --name $(clusterName) --resource-group $(rgName) --attach-acr $(containerRegistryName)
..but that requires Owner on Subscription level and I don't want service principle to have it ..但是这需要订阅级别的所有者,我不希望服务原则拥有它
Is there any workaround available?有没有可用的解决方法?
You only workaround would be to create a custom role that only allows to assign permissions to that specific resource.您唯一的解决方法是创建一个仅允许为该特定资源分配权限的自定义角色。 that would look like something like this:
看起来像这样:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "xxx"
$role.Description = "yyy"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.AssignableScopes.Clear()
$scope = "your azure container registry resourceId"
$role.AssignableScopes.Add($scope)
$def = New-AzureRmRoleDefinition -Role $role
maybe you need to add read permissions as well, due to how az cli is implemented, but in essence write should be enough由于 az cli 的实现方式,您可能还需要添加读取权限,但本质上写入应该就足够了
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.