Azure golang SDK - Assign AcrPull role to AKS cluster

php editor Xinyi introduces to you an important function in Azure golang SDK: assigning the AcrPull role to the AKS cluster. This feature can help developers manage and use container images more conveniently on the Azure cloud platform. By using the golang SDK, developers can easily assign the AcrPull role to the AKS cluster, thereby enabling the function of pulling and using private container images in the cluster. This not only improves the efficiency of developing and deploying containerized applications, but also enhances security and controllability, providing developers with a better user experience.

Question content

After creating the AKS cluster and ACR, I now try to programmatically grant the AcrPull role to the AKS cluster. Currently I'm trying to do this using the RoleAssignmentsClient.Create() function from the golang SDK.

Here's what I've tried so far:

<code>AcrPullDefinitionID := "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
//         pulled that ^ off of: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#acrpull

providerNamespace := "/providers/Microsoft.ContainerService/managedClusters/"

scope := "/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroupName + providerNamespace + resourceName
res, err := raClient.Create(ctx, scope, roleAssigmentName, armauthorization.RoleAssignmentCreateParameters{
        Properties: &armauthorization.RoleAssignmentProperties{
            PrincipalID:      to.Ptr(clientID),
            PrincipalType:    to.Ptr(armauthorization.PrincipalTypeServicePrincipal),
            RoleDefinitionID: to.Ptr("/subscriptions/" + subscriptionID + AcrPullDefinitionID),
    },
}, nil)
</code>

When I make the call with the above values, I get the following error:

for resource: {AKSClusterName} of type: /providers/Microsoft.ContainerService/managedClusters/
Unable to create roleAssignment: PUT https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{AKSClusterName}/providers/Microsoft.Authorization/roleAssignments/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d
--------------------------------------------------------------------------------
RESPONSE 405: 405 Method Not Allowed
ERROR CODE UNAVAILABLE
--------------------------------------------------------------------------------
{
  "message": "The requested resource does not support http method 'PUT'."
}
--------------------------------------------------------------------------------

I'm not sure if this is a conceptual misunderstanding or if I'm just using the API incorrectly.

Any and all help would be greatly appreciated. Thanks!

Solution

The range you are pointing to appears to be incorrect. When applying RBAC permissions, you need to set the scope to the resource to which the RBAC policy applies.

So if you are applying an RBAC policy for your AKS cluster to have AcrPull permissions, the scope should be set to the resource ID of the Azure Container Registry.

The above is the detailed content of Azure golang SDK - Assign AcrPull role to AKS cluster. For more information, please follow other related articles on the PHP Chinese website!