Login/Register
how to view attached ACR in AKS clusters in Azure
Asked Answered
Solved azurekubernetesazure-devopsazure-container-registry
H

3

10

I have tried az aks show and az aks list commands but they don't show the names of the attached ACR's. I ran the command to attach acr using az aks update --attach-acr and it shows thats it attached.

AFter running the az aks update

Can I see through the CLI or portal that the acr is in the cluster?

Holcombe answered 23/10, 2020 at 20:6 Comment(0)
R
14

I am afraid you cannot see the attached ACR in the cluster UI portal.

When you attached the ACR to the AKS cluster using az aks update --attach-acr command.

It just assigned the ACR's AcrPull role to the service principal associated to the AKS Cluster. See here for more information.

You can get the service principal which associated to the AKS Cluster by command az aks list

enter image description here

See below screenshot. The AcrPull role was assigned to the service principal associated to the AKS Cluster.

enter image description here

If you want to use Azure CLI to check which ACR is attached to the AKS cluster. You can list all the ACRs. And then loop through the ACRs to check which one has assigned the AcrPull role to the AKS service principal. See below example:

# list all the ACR and get the ACR id
az acr list


az role assignment list --assignee <Aks service principal ID> --scope <ACR ID>
Ritualist answered 26/10, 2020 at 8:29 Comment(3)
thanks a lot, these commands worked and I do see an ACRPull role assigned to the clusterHolcombe
Where do one will see ACRPull role on protal? IAM of aks? @Levi Lu-MSFTBoon
See Step2 of this page - learn.microsoft.com/en-us/azure/role-based-access-control/… - for viewing the ACRPull role on the Azure Portal. Essentially, ACR -> Access Control (IAM) - > Role Assignments.Dungdungan
W
3

Actually, the parameter --attach-acr in the command just grant the role ACRPull to the service principal of the AKS. There is no difference from before. You only can see the service principal of the AKS. Currently, the CLI command az role assignment list cannot get the ACR directly if you do not know the ACR scope already. But you can get the principal ID first like this:

az aks show --resource-group groupName --name aksName --query identityProfile.kubeletidentity.objectId

And then use the CLI command to get the resource Id of the ACR:

az rest --method get --uri "https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01" --uri-parameters "\$filter=principalId eq 'objectId'" --query "value[0].properties.scope"

If you know the ACR resource Id, I think you know which ACR attached to the AKS clearly.

Worsham answered 26/10, 2020 at 9:16 Comment(2)
Thanks a lot, this worked too. Appreciate the time and effortHolcombe
@JobySanthosh I think my solution is more appropriate. If you know the ACR resource Id before doing the work, then why do you still want to find out which ACR attached to the AKS?!Worsham
M
3

The az aks check-acr command checks if a certain ACR is available from a specific AKS.

You have to provide both the ACR and AKS as argument, so this is not good for discovery.

You can build a small script around this that queries multiple subscriptions for their registered ACRs (you cannot pass multiple subscription argument to az acr list --subscription, you have to query the Subscriptions one-by-one), build an aggregated table of the ACRs then pass those values in a loop to az aks check-acr.

Movable answered 22/3, 2021 at 2:52 Comment(3)
I get CommandNotFoundError: 'check-acr' is misspelled or not recognized by the system., however this command is mentioned in learn.microsoft.com/en-us/cli/azure/…, so I wonder what gives?Shredding
Autocomplete completes to this command on my machine. » az aks check-acr the following arguments are required: --resource-group/-g, --name/-n, --acr what is your complete command?Movable
@MartinCapodici May be your version of Azure CLI is outdated and does not support this command yet.Unnerve

© 2022 - 2024 — McMap. All rights reserved.