9

I have tried az aks show and az aks list commands but they don't show the names of the attached ACR's. I ran the command to attach acr using az aks update --attach-acr and it shows thats it attached.

AFter running the az aks update

Can I see through the CLI or portal that the acr is in the cluster?

Sascha Gottfried
  • 3,303
  • 20
  • 30
Joby Santhosh
  • 165
  • 2
  • 9

3 Answers3

13

I am afraid you cannot see the attached ACR in the cluster UI portal.

When you attached the ACR to the AKS cluster using az aks update --attach-acr command.

It just assigned the ACR's AcrPull role to the service principal associated to the AKS Cluster. See here for more information.

You can get the service principal which associated to the AKS Cluster by command az aks list

enter image description here

See below screenshot. The AcrPull role was assigned to the service principal associated to the AKS Cluster.

enter image description here

If you want to use Azure CLI to check which ACR is attached to the AKS cluster. You can list all the ACRs. And then loop through the ACRs to check which one has assigned the AcrPull role to the AKS service principal. See below example:

# list all the ACR and get the ACR id
az acr list


az role assignment list --assignee <Aks service principal ID> --scope <ACR ID>
Sascha Gottfried
  • 3,303
  • 20
  • 30
Levi Lu-MSFT
  • 27,483
  • 2
  • 31
  • 43
  • thanks a lot, these commands worked and I do see an ACRPull role assigned to the cluster – Joby Santhosh Oct 26 '20 at 13:25
  • 1
    Where do one will see ACRPull role on protal? IAM of aks? @Levi Lu-MSFT – user269867 Feb 11 '21 at 23:39
  • See Step2 of this page - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal - for viewing the ACRPull role on the Azure Portal. Essentially, ACR -> Access Control (IAM) - > Role Assignments. – GreenDroid Feb 24 '22 at 22:24
3

Actually, the parameter --attach-acr in the command just grant the role ACRPull to the service principal of the AKS. There is no difference from before. You only can see the service principal of the AKS. Currently, the CLI command az role assignment list cannot get the ACR directly if you do not know the ACR scope already. But you can get the principal ID first like this:

az aks show --resource-group groupName --name aksName --query identityProfile.kubeletidentity.objectId

And then use the CLI command to get the resource Id of the ACR:

az rest --method get --uri "https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01" --uri-parameters "\$filter=principalId eq 'objectId'" --query "value[0].properties.scope"

If you know the ACR resource Id, I think you know which ACR attached to the AKS clearly.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thanks a lot, this worked too. Appreciate the time and effort – Joby Santhosh Oct 26 '20 at 13:26
  • @JobySanthosh I think my solution is more appropriate. If you know the ACR resource Id before doing the work, then why do you still want to find out which ACR attached to the AKS?! – Charles Xu Oct 27 '20 at 01:16
3

The az aks check-acr command checks if a certain ACR is available from a specific AKS.

You have to provide both the ACR and AKS as argument, so this is not good for discovery.

You can build a small script around this that queries multiple subscriptions for their registered ACRs (you cannot pass multiple subscription argument to az acr list --subscription, you have to query the Subscriptions one-by-one), build an aggregated table of the ACRs then pass those values in a loop to az aks check-acr.

karatedog
  • 2,508
  • 19
  • 29
  • I get `CommandNotFoundError: 'check-acr' is misspelled or not recognized by the system.`, however this command is mentioned in https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az_aks_check_acr, so I wonder what gives? – Martin Capodici May 19 '21 at 22:25
  • Autocomplete completes to this command on my machine. `» az aks check-acr` `the following arguments are required: --resource-group/-g, --name/-n, --acr` what is your complete command? – karatedog May 20 '21 at 21:49
  • @MartinCapodici May be your version of Azure CLI is outdated and does not support this command yet. – Sascha Gottfried Aug 31 '21 at 11:32