Share via

Cross-Tenant ACR Image Pull Failure Using AKS Managed Identity with OIDC

RajKumar Kannan 120 Reputation points
2026-02-26T04:57:48.4633333+00:00

I have successfully tested the OIDC-based authentication method for pulling container images from Azure Container Registry (ACR) to Azure Kubernetes Service (AKS) within a single tenant, and it works as expected.

However, I am now attempting to implement the same setup in a cross-tenant scenario, where the ACR is in one tenant and the AKS cluster (with its managed identity) is in another tenant. I have assigned the AcrPull role in the ACR tenant to the managed identity associated with the AKS cluster.

Despite this configuration, I am encountering an error when trying to pull container images from ACR to AKS. I would appreciate guidance on the correct configuration for enabling cross-tenant image pulls using OIDC/Workload Identity and ensuring proper authentication between the AKS managed identity and ACR.

apiVersion: v1 kind: Namespace metadata:   name: cloudcadi --- apiVersion: v1 kind: ServiceAccount metadata:   name: cloudcadi-sa   namespace: cloudcadi   annotations:     azure.workload.identity/[CLIENTID HIDDEN]  labels:     azure.workload.identity/use: "true" --- apiVersion: apps/v1 kind: Deployment metadata:   name: cloudcadi-app   namespace: cloudcadi spec:   replicas: 1   selector:     matchLabels:       app: cloudcadi-app   template:     metadata:       labels:         app: cloudcadi-app         azure.workload.identity/use: "true"     spec:       serviceAccountName: cloudcadi-sa       containers:         - name: cloudcadi-app           image: rishiacrtest.azurecr.io/demo/hello-world:v1           imagePullPolicy: IfNotPresent           ports:             - containerPort: 80 --- apiVersion: v1 kind: Service metadata:   name: cloudcadi-app   namespace: cloudcadi spec:   type: LoadBalancer   selector:     app: cloudcadi-app   ports:     - port: 80       targetPort: 80

this is the yaml file used for acr pull

Azure Container Registry
Azure Container Registry

An Azure service that provides a registry of Docker and Open Container Initiative images.

Answer accepted by question author
  1. Ankit Yadav 12,205 Reputation points Microsoft External Staff Moderator
    2026-02-26T05:44:16.62+00:00

    Hello @RajKumar Kannan ,

    Please note that you can't use an AKS managed identity to attach the registry and authenticate to it when AKS cluster and the registry are in different tenants which is most likely why you are getting error with your setup.

    User's image

    Source: https://learn.microsoft.com/en-us/azure/container-registry/authenticate-aks-cross-tenant

    Instead of this approach,
    Recommended approach will be to use cross‑tenant AKS service principal authentication.

    High-level required steps:

    • Create a multitenant app registration in Tenant A
    • Provision that service principal in Tenant B
    • Grant it permission to pull from the registry in Tenant B
    • Update the AKS cluster to use that service principal.

    For detailed steps, please refer: https://learn.microsoft.com/en-us/azure/container-registry/authenticate-aks-cross-tenant

    or

    as alternative approach, you could use ImagePullSecret.

    Create a pull secret using a service principal that has AcrPull on the ACR, then reference it in the deployment. Detailed steps for this approach can be found out over here: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-kubernetes

    Please let us know if this answers your question or if you have any other follow-up query.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.