goazure-aksazure-sdkazure-role-environmentazure-acr

Azure golang SDK - Assign AcrPull role to AKS cluster

Having created an AKS cluster and ACR -- I am now trying to programatically grant the AKS cluster the AcrPull role. Currently I am attempting to do this using the RoleAssignmentsClient.Create() function from the golang SDK.

Here is what I have tried so far:

AcrPullDefinitionID := "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
//         pulled that ^ off of: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#acrpull

providerNamespace := "/providers/Microsoft.ContainerService/managedClusters/"

scope := "/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroupName + providerNamespace + resourceName
res, err := raClient.Create(ctx, scope, roleAssigmentName, armauthorization.RoleAssignmentCreateParameters{
        Properties: &armauthorization.RoleAssignmentProperties{
            PrincipalID:      to.Ptr(clientID),
            PrincipalType:    to.Ptr(armauthorization.PrincipalTypeServicePrincipal),
            RoleDefinitionID: to.Ptr("/subscriptions/" + subscriptionID + AcrPullDefinitionID),
    },
}, nil)

When I make the call with the above values I get the following error:

for resource: {AKSClusterName} of type: /providers/Microsoft.ContainerService/managedClusters/
Unable to create roleAssignment: PUT https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{AKSClusterName}/providers/Microsoft.Authorization/roleAssignments/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d
--------------------------------------------------------------------------------
RESPONSE 405: 405 Method Not Allowed
ERROR CODE UNAVAILABLE
--------------------------------------------------------------------------------
{
  "message": "The requested resource does not support http method 'PUT'."
}
--------------------------------------------------------------------------------

I am not sure if this is a conceptual misunderstanding or I am just using the API wrong.

Any and all help would be appreciated. Thanks!

Solution

  • It seems that the scope you are pointing to is incorrect. When applying RBAC permissions, you need to set the scope to be the resource in which the RBAC policy should apply to.

    So, if you are applying an RBAC policy for your AKS cluster to have AcrPull permissions, then the scope should be set to the resource ID of your Azure Container Registry.