英文:
Cannot attach Azure container registries to Azure kubernetes service
问题
尝试附加 ACR 到 Azure 的 AKS,但出现以下错误:
无法为 ACR 创建角色分配。您在此订阅上是所有者吗?
以下是我遵循的步骤:
- 登录:
az login - 移动 servicePrincipal.json:
az ad sp create-for-rbac --skip-assignment - 获取服务主体对象 ID:
az ad sp list --display-name acrrgdevfahim并从结果中获取 ID:
{
"appId": "18843c4f-b406-4f0d-9fa3-219058a0f23a",
"displayName": "azure-cli-2023-03-12-09-56-37",
"password": "ACQ8Q~Oh.3_R~nqlqtek0ndYeOAAzJg6njU9mbi2",
"tenant": "8aa57581-5266-4503-a692-a10815c0a5a6"
}
- 分配拉取权限:
az role assignment create --assignee-object-id c465e0ec-dba8-4783-bbff-ee9944a69763 --scope /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim --role acrpull - 最后:
az aks update -n aksclusterfahim -g RG-dev --attach-acr acrrgdevfahim
结果是:
无法为 ACR 创建角色分配。您在此订阅上是所有者吗?
现在从我的门户中,我可以在订阅页面看到自己被标记为订阅的所有者。我该如何解决这个问题?
更新 1:
对于以下两个查询的进一步调查:
-
az role assignment list --all --include-classic-administrators --query "[?principalName=='fhoque.arnob@outlook.com']"结果:[] -
az role assignment list --all --output table
结果:
Principal Role Scope
-------------------------------------------------------- ----------- ------------------------------------------------------------------------
fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com Owner /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4
a48be5d4-727b-444b-99d9-e8b03ab75c16 Contributor /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/MC_RG-dev_aksclusterfahim_centralindia
fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com Owner /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev
c119ef5d-7f74-4a5d-a83d-dfae0bbbca61 AcrPull /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
6b19686e-30f0-4805-806f-c4ca9ed8bbd4 AcrPull /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
英文:
Trying to attach ACR to AKS in azure but getting
Could not create a role assignment for ACR. Are you an Owner on this subscription?
Here are the steps I followed:
- Login:
az login - To move servicePrincipal.json:
az ad sp create-for-rbac --skip-assignment - To get the service principal object id:
az ad sp list --display-name acrrgdevfahimand got the id from result:
{
"appId": "18843c4f-b406-4f0d-9fa3-219058a0f23a",
"displayName": "azure-cli-2023-03-12-09-56-37",
"password": "ACQ8Q~Oh.3_R~nqlqtek0ndYeOAAzJg6njU9mbi2",
"tenant": "8aa57581-5266-4503-a692-a10815c0a5a6"
}
fahimhoque@Arnob ~ % az ad sp list --display-name acrrgdevfahim
[
{
"accountEnabled": true,
"addIns": [],
"alternativeNames": [
"isExplicit=False",
"/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourcegroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim"
],
"appDescription": null,
"appDisplayName": null,
"appId": "6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
"appOwnerOrganizationId": null,
"appRoleAssignmentRequired": false,
"appRoles": [],
"applicationTemplateId": null,
"createdDateTime": "2023-03-12T06:54:39Z",
"deletedDateTime": null,
"description": null,
"disabledByMicrosoftStatus": null,
"displayName": "acrrgdevfahim",
"homepage": null,
"id": "c465e0ec-dba8-4783-bbff-ee9944a69763",
"info": null,
"keyCredentials": [
{
"customKeyIdentifier": "4E9BFDB4314ADD4B76713CE558593C75874AD534",
"displayName": "CN=6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
"endDateTime": "2023-06-10T06:49:00Z",
"key": null,
"keyId": "661bb2e7-d8d1-41b8-980d-7728875554b2",
"startDateTime": "2023-03-12T06:49:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify"
}
],
"loginUrl": null,
"logoutUrl": null,
"notes": null,
"notificationEmailAddresses": [],
"oauth2PermissionScopes": [],
"passwordCredentials": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyThumbprint": null,
"replyUrls": [],
"resourceSpecificApplicationPermissions": [],
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
"https://identity.azure.net//ob5N0+Wkcw9erM4VGKOVJ1T/5bYaBWcqVa1x47nLZo="
],
"servicePrincipalType": "ManagedIdentity",
"signInAudience": null,
"tags": [],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"addedDateTime": null,
"displayName": null,
"verifiedPublisherId": null
}
}
]
- Assigning pull permission
az role assignment create --assignee-object-id c465e0ec-dba8-4783-bbff-ee9944a69763 --scope /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim --role acrpull - Finally:
az aks update -n aksclusterfahim -g RG-dev --attach-acr acrrgdevfahim
which gives the result:
Could not create a role assignment for ACR. Are you an Owner on this subscription?
Now from my portal in subscriptions page I can see myself marked as owner of the subscription. How do I resolve this issue?
Update 1:
Upon further investigation for this two queries:
-
az role assignment list --all --include-classic-administratorsResult: []
--query "[?principalName=='fhoque.arnob@outlook.com']" -
az role assignment list --all --output table
Result:
Role Scope
---------------------------------------------------------------- ----------- ---------------------------------------------------------------------------------------------------------------------------------------- fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com
Owner /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4
a48be5d4-727b-444b-99d9-e8b03ab75c16
Contributor
/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/MC_RG-dev_aksclusterfahim_centralindia
fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com
Owner
/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev
c119ef5d-7f74-4a5d-a83d-dfae0bbbca61
AcrPull
/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
6b19686e-30f0-4805-806f-c4ca9ed8bbd4
AcrPull
/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
</details>
# 答案1
**得分**: 1
_**我尝试在我的环境中重现,并获得以下结果:**_
尝试在Windows PowerShell ISE中运行以下命令以验证您是否具有使用CLI创建角色分配所需的权限,如下所示:
```powershell
Az login
az role assignment list --all --include-classic-administrators --query "[?principalName=='<your-email-address>']"
在Azure活动目录中 -> 应用注册 -> 尝试像下面这样添加服务主体:
要检查服务主体的现有情况:
az role assignment list --all --assignee <service-principal-object-id>
确保检查 Registry ID
az acr show --name <ACRName> --query id --output tsv
当我尝试分配权限以成功分配角色给服务主体时,如下所示:
az role assignment create --assignee <service-principal-object-id> --scope <RegistryID> --role AcrPull
要将ACR附加到AKS群集,请使用以下命令:
# 使用acr-name附加
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>
要在门户中确认Acrpull角色分配如下:
要验证ACR和AKS之间的连接,我在ACR中创建了一个存储库,并在kubectl部署中引用了该映像。它成功地拉取了映像,启动并运行。
参考:
将Azure容器注册表与Azure Kubernetes服务集成 - Azure Kubernetes服务 | 微软学习
英文:
I tried to reproduce the same in my environment and got the results like below:
Try to run the below cmd in windows powershell ISE to Verify that you have the necessary permissions to create role assignments using CLI like below:
Az login
az role assignment list --all --include-classic-administrators --query "[?principalName=='<your-email-address>']"
In azure active directory -> App registration -> Try to add service principal like below:
To check existing for the service principal:
az role assignment list --all --assignee <service-principal-object-id>
Make sure to check the Registry ID
az acr show --name <ACRName> --query id --output tsv
When I try to assign to grant the necessary permissions to the service principal it assign role successfully below:
az role assignment create --assignee <service-principal-object-id> --scope <RegistryID> --role AcrPull
To attach ACR to the AKS cluster make use of below command:
#Attach using acr-name
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>
To confirm in portal Acrpull role assignment assigned like below:
To verfiy the connectivity between the ACR and AKS, i have created one repository in the ACR and referred that image in the kubectl deployment. It is successfully pulled the image, up and running.
Reference:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论