Comments (2)
Interestingly, when I go to portal.azure.com > my container registry > Access control (IAM) > Check access > Find > Managed identity > User-assigned managed identity > select one of my aks-*-agentpool
-s that is one corresponding with the "principalId": "2f850a88-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
above, then I'm getting very different result than from the az role assignment list
command above:
from acr.
Solved!
I assigned role using Client ID of aks-*-agentpool
managed identity of my AKS clusters, instead of Object (principal) ID:
resource "azurerm_role_assignment" "aks_acr_pull_allowed" {
principal_id = ...I put Client ID of AKS managed identity instead of Object (principal) ID...
role_definition_name = "AcrPull"
...
}
As soon as I corrected my Terraform code, applied, then my ACR shows the expected identities and my AKS clusters can pull images from my ACR.
Apologies for the false issue report.
OTOH, this could be added to the catalogue of issues in the troubleshooting guide :)
I owe huge thanks to @alexeldeib for his great help via #provider-azure channel on Kubernetes Slack.
from acr.
Related Issues (20)
- Manifests - Get API returns 404 for multi arch images
- Fail pulling image - manifest unknown
- Failing to pull image when Artifact streaming is enabled
- Dockerfile with extension is interpreted as YAML HOT 1
- Storage used per repository
- Pull Through Caching from Another Azure Container Registry HOT 2
- Add support of registry.k8s.io type in cache rules HOT 1
- Rest api for get tags doesn respect n parameter (pagesize) HOT 2
- Scope Security/ Vulnerability scan to certain image tags only
- Catalog API only works with scope map * HOT 2
- Allow configuration of CORS headers for API access from web clients HOT 1
- Use Entra security principals with scope maps HOT 3
- ACR Cache error: too many requests to source registry for cache rule HOT 43
- connectivity_challenge_error grcsharedacr
- Unable to login into azure acr HOT 2
- Unable to login to container registry shazdevops HOT 1
- Auth Endpoint seems to require account parameter which is not part of the API Spec
- Cache elastic images HOT 1
- ACR Build with public access disabled HOT 1
- ACR streaming: failed to open remote file as tar file error HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acr.