terraformazure-aksterraform-provider-azureazure-managed-identityazure-acr

Terraform allow AKS to use ACR


This my Terraform code to create an AKS cluster and allow it to use my ACR (in the same subscription) :

resource "azurerm_kubernetes_cluster" "aks" {
  name                      = var.aks-cluster-name
  location                  = azurerm_resource_group.rg.location
  resource_group_name       = azurerm_resource_group.rg.name
  kubernetes_version        = "1.18.8"
  dns_prefix                = "${var.aks-cluster-name}-dns"

  default_node_pool {
    name                  = "default"
    vm_size               = "Standard_D2_v2"
    enable_auto_scaling   = false
    node_count            = 3
    availability_zones    = ["1", "2", "3"]
    type                  = "VirtualMachineScaleSets"
    enable_node_public_ip = false
  }

  network_profile {
    network_plugin = "azure"
    load_balancer_sku = "standard"
  }

  identity {
    type = "SystemAssigned"
  }

  addon_profile {
    oms_agent {
      enabled                    = true
      log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_workspace.id
    }
    kube_dashboard {
      enabled = false
    }
    azure_policy {
      enabled = false
    }
  }
}

data "azurerm_container_registry" "acr_name" {
  name = "myacr"
  resource_group_name = "acr_rg"
}

resource "azurerm_role_assignment" "aks_to_acr_role" {
  scope                = data.azurerm_container_registry.acr_name.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}

I got this error (Status=403 Code="AuthorizationFailed"):

azurerm_role_assignment.aks_to_acr_role: Creating...
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
        d/resourceGroups/acr_rg/providers/Microsoft.ContainerRegistry/registries/gcrclientacr/providers/Microsoft.Authorization/roleAssignments/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
              
    on main.tf line 91, in resource "azurerm_role_assignment" "aks_to_acr_role":
    91: resource "azurerm_role_assignment" "aks_to_acr_role" {

I used a managed identity and not a principal service for my AKS.

Thanks for your help ..


Solution

  • The issue is that the service principal running the terraform code does not have access to grant the AcrPull role assignment to the AKS managed identity. This is an AD permission issue.

    Either grant the service principal (the one executing the terraform code) an Owner role (Contributor isn't enough) or grant it a custom role that has permissions to execute the Microsoft.Authorization/roleAssignments/write action.