无需订阅所有者即可将 Azure Kubernetes 服务 (AKS) 附加到 Azure 容器注册表 (ACR)

Question

I'm deploying AKS via ARM template and Azure DevOps pipeline and want to automate attachment to ACR

To do so I need to execute az aks update --name $(clusterName) --resource-group $(rgName) --attach-acr $(containerRegistryName)

..but that requires Owner on Subscription level and I don't want service principle to have it

Is there any workaround available?

Answer 1

You only workaround would be to create a custom role that only allows to assign permissions to that specific resource. that would look like something like this:

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "xxx"
$role.Description = "yyy"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.AssignableScopes.Clear()

$scope = "your azure container registry resourceId"
$role.AssignableScopes.Add($scope)
$def = New-AzureRmRoleDefinition -Role $role

maybe you need to add read permissions as well, due to how az cli is implemented, but in essence write should be enough