Terraform允许AKS使用ACR
Terraform允许AKS使用ACR
提问于 2020-12-15 19:59:00
这是我创建AKS集群并允许它使用我的ACR (在同一订阅中)的Terraform代码:
resource "azurerm_kubernetes_cluster" "aks" {
name = var.aks-cluster-name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
kubernetes_version = "1.18.8"
dns_prefix = "${var.aks-cluster-name}-dns"
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
enable_auto_scaling = false
node_count = 3
availability_zones = ["1", "2", "3"]
type = "VirtualMachineScaleSets"
enable_node_public_ip = false
}
network_profile {
network_plugin = "azure"
load_balancer_sku = "standard"
}
identity {
type = "SystemAssigned"
}
addon_profile {
oms_agent {
enabled = true
log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_workspace.id
}
kube_dashboard {
enabled = false
}
azure_policy {
enabled = false
}
}
}
data "azurerm_container_registry" "acr_name" {
name = "myacr"
resource_group_name = "acr_rg"
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}我得到了这个错误(Status=403 Code="AuthorizationFailed"):
azurerm_role_assignment.aks_to_acr_role: Creating...
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
d/resourceGroups/acr_rg/providers/Microsoft.ContainerRegistry/registries/gcrclientacr/providers/Microsoft.Authorization/roleAssignments/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
on main.tf line 91, in resource "azurerm_role_assignment" "aks_to_acr_role":
91: resource "azurerm_role_assignment" "aks_to_acr_role" {我使用的是托管身份,而不是我的AKS的主体服务。
谢谢你的帮助..
回答 1
Stack Overflow用户
回答已采纳
发布于 2020-12-15 21:08:59
问题是,运行terraform代码的服务主体没有权限将AcrPull角色分配授予AKS托管身份。这是一个AD权限问题。
可以向服务主体(执行terraform代码的主体)授予一个所有者角色(贡献者是不够的),也可以向其授予一个有权执行Microsoft.Authorization/roleAssignments/write操作的自定义角色。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/65305418
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号