No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

```    const acrRole = new azure.authorization.Assignment(`Cluster-${args.Name}-ACR-Role`, {
        principalId: ClusterServicePrincipal.id,
        scope: ContainerRegistry.id,
        roleDefinitionName: "AcrPull"
    });```
i  believe all it does is this -- grants AcrPull against the cluster's Service Principal

that's all we do and it certainly allows the cluster to pull images down

Just checked, I don't have `Service Principal` assigned. I'm using `system-assigned managed identity`.

hmm not sure then sorry, does anything like that get populated in the return object from new azureaks.cluster()

Hmm.. Actually, I don't know if Azure returning any info about `acr` when you create a cluster. I need to check. Thanks!

sorry - I meant details of the identity the cluster runs as so that you could do the above but pointing something different. perhaps cluster.identity.principalId ?

i still think you'll have to manually add the role as the terraform backing the pulumi azure project doesnt seem to list anything to do with ACR

<https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html#principal_id>

oh, I see. So, Pulumi uses terraform under the hood. I'll check the docs. Thanks!