question

RexBenny-4311 avatar image
1 Vote"
RexBenny-4311 asked Sam-4195 answered

Could not create a role assignment for ACR. Are you an Owner on this subscription?

When I try to assign acrpull role on ACR to the AKS-generated service principal for AKS cluster to be able to pull images from ACR receiving the error

Could not create a role assignment for ACR. Are you an Owner on this subscription?

I the owner of the subscription, assigned global admin privileges.

Commands executed as follows:

Assign acrpull role on our ACR to the AKS-generated service principal, the AKS cluster will then be able to pull images from our ACR

$ ACR_ID=$(az acr show -n $acr -g $rg --query id -o tsv)
$ az aks update -g $rg -n $aks --attach-acr $ACR_ID

azure-kubernetes-serviceazure-container-registry
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RexBenny-4311 ,

Are the AKS cluster and the ACR located in different Azure subscriptions?

Can you please share the version of Azure CLI that you are using? Are you also using aks-preview extension with Azure CLI? Please run az version to check.

Can you please confirm if the Azure RBAC Role assigned to you on the subscription(s) is one of Owner, Azure account administrator, or Azure co-adminstrator?

If you are, can you please try to move the .azure/aksServicePrincipal.json from it's current location and try again? Reference

If you are still seeing the issue can you try logging in again using az login to refresh az CLI token and re-attempt attaching the ACR to your AKS cluster? Reference



0 Votes 0 ·

AKS cluster and ACR located in same Azure subscription and resource group.
$ az version
{
"azure-cli": "2.24.2",
"azure-cli-core": "2.24.2",
"azure-cli-telemetry": "1.0.6",
"extensions": {
"ai-examples": "0.2.5",
"ssh": "0.1.5"
}
}

I am the owner of the subscription.
When I try to move the file getting error no file or directory.
mv: cannot stat '/home/rex/.azure/aksServicePrincipal.json': No such file or directory


0 Votes 0 ·

@RexBenny-4311 , thank you for your response. I would like to understand if you are logged in to Azure as a user (Owner) when you are performing the attach ACR operation? Or are you logging in with Service Principal credentials, like a maybe a job that is trying to do the attach ACR operation using a Service Principal?

Service Principals are not allowed to perform Role Assignment by default. This issue can be resolved by following either of the two methods.

Method-1

Provide Permissions on Azure AD graph API to Service Principal so that it can read information about other objects from the directory and perform Role Assignment.

Method-2

Provide Directory Readers role to Service Principal.


103116-image.png


0 Votes 0 ·
image.png (70.3 KiB)
Show more comments

1 Answer

Sam-4195 avatar image
0 Votes"
Sam-4195 answered

Hi,

Could you please confirm if the above mentioned steps can resolve the Could not create a role assignment for ACR. Are you an Owner on this subscription? error while attaching the AKS cluster(Managed Identity/ServICE principle) to ACR.

Also, please include the steps to check if there is an existing service principal already created for the AKS cluster.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.