1

Having created an AKS cluster and ACR -- I am now trying to programatically grant the AKS cluster the AcrPull role. Currently I am attempting to do this using the RoleAssignmentsClient.Create() function from the golang SDK.

Here is what I have tried so far:

AcrPullDefinitionID := "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
//         pulled that ^ off of: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#acrpull

providerNamespace := "/providers/Microsoft.ContainerService/managedClusters/"

scope := "/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroupName + providerNamespace + resourceName
res, err := raClient.Create(ctx, scope, roleAssigmentName, armauthorization.RoleAssignmentCreateParameters{
        Properties: &armauthorization.RoleAssignmentProperties{
            PrincipalID:      to.Ptr(clientID),
            PrincipalType:    to.Ptr(armauthorization.PrincipalTypeServicePrincipal),
            RoleDefinitionID: to.Ptr("/subscriptions/" + subscriptionID + AcrPullDefinitionID),
    },
}, nil)

When I make the call with the above values I get the following error:

for resource: {AKSClusterName} of type: /providers/Microsoft.ContainerService/managedClusters/
Unable to create roleAssignment: PUT https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{AKSClusterName}/providers/Microsoft.Authorization/roleAssignments/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d
--------------------------------------------------------------------------------
RESPONSE 405: 405 Method Not Allowed
ERROR CODE UNAVAILABLE
--------------------------------------------------------------------------------
{
  "message": "The requested resource does not support http method 'PUT'."
}
--------------------------------------------------------------------------------

I am not sure if this is a conceptual misunderstanding or I am just using the API wrong.

Any and all help would be appreciated. Thanks!

Rutvik Saptarshi
  • 13
  • 3

1 Answers1

1

It seems that the scope you are pointing to is incorrect. When applying RBAC permissions, you need to set the scope to be the resource in which the RBAC policy should apply to.

So, if you are applying an RBAC policy for your AKS cluster to have AcrPull permissions, then the scope should be set to the resource ID of your Azure Container Registry.

pauldotyu
  • 36
  • 2
  • Another issue that I had to resolve was to populate `PrincipalID` with the ID of the service principal object associated with my app, instead of the `ApplicationID` of my app. I found [this post](https://stackoverflow.com/questions/54066287/azure-service-principal-id-vs-application-id) particularly useful in resolving that confusion. Thanks for your help! – Rutvik Saptarshi Aug 28 '23 at 18:25