This message was deleted.
# azure
s
This message was deleted.
t
I did that by granting a role assignment to AKS SP:
Copy code
const clusterPrincipalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
new authorization.RoleAssignment("access-from-cluster", {
    properties: {
        principalId: clusterPrincipalId,
        roleDefinitionId: "/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
    },
    roleAssignmentName: "923a52ca-a43c-5112-b7cb-12fe172d568f",
    scope: registry.id,
});
(my AKS has a managed identity)
c
Thanks @tall-librarian-49374 I’ve really enjoyed your pulumi tutorials. I’ll give this a try and see if that does it.
👍 1
Hmmm, that’s not working for me, for a number of reasons. new authorization.RoleAssignment fails because it doesn’t recognize authorization as a valid construct, so I’m guessing that’s imported from somewhere? Anyway it seems like it’s pointing me in a useful direction. I’m going to try some of what’s described here and see if that makes it work https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/
t
Yeah, you need to import it from
Copy code
@pulumi/azure-nextgen/authorization/latest
c
thanks, I’ll try that
a
You can also create a secret in k8s that contains your ACR docker credentials and then tell your deployment to use that secret to access your ACR when pulling private images. https://www.westerndevs.com/kubernetes/kubernetes-my-journey-part-7a/ This does not require managed identities anywhere.
c
solid, thank you
r
@tall-librarian-49374 do you have any example equivalent of this in the azure provider? Not the azure next gen provider.
t
@rapid-oil-61997 of which part specifically?
r
Finding the identity of aks cluster and using it for providing access to acr
t
no, I don’t have that
r
Ok. I was looking on some documentation which shows the way to find the identity. But couldn't find one
@tall-librarian-49374 is there a way I can find the resource id of the managed resource group where the nodes exist in case of an aks cluster?
t
I don’t know to be honest…