Attach Azure Kubernetes Service (AKS) to Azure Container Registry (ACR) without being Subscription Owner
Question
I'm deploying AKS via ARM template and Azure DevOps pipeline and want to automate attachment to ACR
To do so I need to execute az aks update --name $(clusterName) --resource-group $(rgName) --attach-acr $(containerRegistryName)
..but that requires Owner on Subscription level and I don't want service principle to have it
Is there any workaround available?
1 answers
solution1
0 2020-09-09 13:11:41
You only workaround would be to create a custom role that only allows to assign permissions to that specific resource. that would look like something like this:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "xxx"
$role.Description = "yyy"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.AssignableScopes.Clear()
$scope = "your azure container registry resourceId"
$role.AssignableScopes.Add($scope)
$def = New-AzureRmRoleDefinition -Role $role
maybe you need to add read permissions as well, due to how az cli is implemented, but in essence write should be enough
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.