Issue of while Authenticate with Azure Container Registry from Azure Kubernetes Service

8/13/2018

I created the Azure Kubernetes Service and Azure Container Registry using Azure Portal. After that I am able to give the Grant AKS access to ACR, for that I used the below script:

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionID 'XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX'
#Get the id of the service principal configured for AKS
$AKS_RESOURCE_GROUP = "DSEU2-AKSRES-SB-DEV-RGP-01"
$AKS_CLUSTER_NAME = "DSEU2-AKSRES-SB-DEV-AKS-01"
$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name     $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)

# Get the ACR registry resource id
$ACR_NAME = "DSWEAKSRESSBDEVACR01"
$ACR_RESOURCE_GROUP = "DSWE-AKSRES-SB-DEV-RGP-01"
$ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)

#Create role assignment
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID

Whenever I am running the above PowerShell script then I am getting the exception like shown in below figure. enter image description here

For the above scenario I followed this documentation:Authenticate with Azure Container Registry from Azure Kubernetes Service

-- Pradeep
azure
azure-container-registry
azure-kubernetes
powershell

1 Answer

8/13/2018

For the command az role assignment create, the description for the argument with --assignee:

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

But what you use is the resource Id of Azure Kubernetes cluster. So you get the error.

And the link you posted, the document shows the secret in the yaml file and the secret created with the command kubectl create secret. The secret just be used for pulling the image from the Azure Container Registry.

Update

With the ERROR shows, the resource group could not be found, so you should check your resource group carefully.

And from your script, you use PowerShell command to log in and use CLI to execute. I think the subscription will not be changed for CLI. So you can check if you are in the correct subscription. PowerShell command will not change the Subscription for CLI. enter image description here

So I suggest the CLI command az account set --subscription.

-- Charles Xu
Source: StackOverflow