This message was deleted Pulumi Community #azure

Join Slack

This message was deleted.

# azure

sparse-intern-71089

11/19/2020, 5:23 AM

This message was deleted.

tall-librarian-49374

11/19/2020, 6:39 AM

I did that by granting a role assignment to AKS SP:

Copy code

const clusterPrincipalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
new authorization.RoleAssignment("access-from-cluster", {
    properties: {
        principalId: clusterPrincipalId,
        roleDefinitionId: "/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
    },
    roleAssignmentName: "923a52ca-a43c-5112-b7cb-12fe172d568f",
    scope: registry.id,
});

tall-librarian-49374

11/19/2020, 6:42 AM

(my AKS has a managed identity)

colossal-school-15171

11/19/2020, 6:45 PM

Thanks @tall-librarian-49374 I’ve really enjoyed your pulumi tutorials. I’ll give this a try and see if that does it.

👍 1

colossal-school-15171

11/19/2020, 7:31 PM

Hmmm, that’s not working for me, for a number of reasons. new authorization.RoleAssignment fails because it doesn’t recognize authorization as a valid construct, so I’m guessing that’s imported from somewhere? Anyway it seems like it’s pointing me in a useful direction. I’m going to try some of what’s described here and see if that makes it work https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/

tall-librarian-49374

11/19/2020, 7:35 PM

Yeah, you need to import it from

Copy code

@pulumi/azure-nextgen/authorization/latest

colossal-school-15171

11/19/2020, 9:06 PM

thanks, I’ll try that

ancient-megabyte-79588

11/19/2020, 11:00 PM

You can also create a secret in k8s that contains your ACR docker credentials and then tell your deployment to use that secret to access your ACR when pulling private images. https://www.westerndevs.com/kubernetes/kubernetes-my-journey-part-7a/ This does not require managed identities anywhere.

colossal-school-15171

11/27/2020, 9:55 PM

solid, thank you

rapid-oil-61997

12/01/2020, 7:27 PM

@tall-librarian-49374 do you have any example equivalent of this in the azure provider? Not the azure next gen provider.

tall-librarian-49374

12/01/2020, 7:53 PM

@rapid-oil-61997 of which part specifically?

rapid-oil-61997

12/01/2020, 8:09 PM

Finding the identity of aks cluster and using it for providing access to acr

tall-librarian-49374

12/01/2020, 8:17 PM

no, I don’t have that

rapid-oil-61997

12/01/2020, 8:30 PM

Ok. I was looking on some documentation which shows the way to find the identity. But couldn't find one

rapid-oil-61997

01/12/2021, 11:02 AM

@tall-librarian-49374 is there a way I can find the resource id of the managed resource group where the nodes exist in case of an aks cluster?

tall-librarian-49374

01/12/2021, 11:11 AM

I don’t know to be honest…

3 Views

Open in Slack

Previous Next