Terraform 地形允许AKS使用ACR
这是我的地形代码,用于创建AKS群集并允许其使用我的ACR(在同一订阅中): 我收到此错误(Status=403 Code=“AuthorizationFailed”): 我使用的是托管身份,而不是AKS的主要服务Terraform 地形允许AKS使用ACR,terraform,azure-aks,terraform-provider-azure,azure-managed-identity,azure-acr,Terraform,Azure Aks,Terraform Provider Azure,Azure Managed Identity,Azure Acr,这是我的地形代码,用于创建AKS群集并允许其使用我的ACR(在同一订阅中): 我收到此错误(Status=403 Code=“AuthorizationFailed”): 我使用的是托管身份,而不是AKS的主要服务 感谢您的帮助。问题在于运行地形代码的服务主体无权将AcrPull角色分配授予AKS托管标识。这是一个广告许可问题 要么授予服务主体(执行terraform代码的主体)所有者角色(贡献者不够)或者授予它一个自定义角色,该角色具有执行Microsoft.Authorization/rol
感谢您的帮助。问题在于运行地形代码的服务主体无权将AcrPull角色分配授予AKS托管标识。这是一个广告许可问题
要么授予服务主体(执行terraform代码的主体)所有者角色(贡献者不够)或者授予它一个自定义角色,该角色具有执行Microsoft.Authorization/roleAssignments/write操作的权限。问题在于运行terraform代码的服务主体无权将ACRCULL角色分配授予AKS托管标识。这是一个广告许可问题
要么授予服务主体(执行terraform代码的主体)所有者角色(贡献者是不够的),要么授予其具有执行
Microsoft.Authorization/roleAssignments/write
操作权限的自定义角色。谢谢,当我添加API权限(Azure数据目录)时,此代码运行良好感谢,当我向terraform的服务主体添加API权限(Azure数据目录)时,这段代码运行良好。
resource "azurerm_kubernetes_cluster" "aks" {
name = var.aks-cluster-name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
kubernetes_version = "1.18.8"
dns_prefix = "${var.aks-cluster-name}-dns"
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
enable_auto_scaling = false
node_count = 3
availability_zones = ["1", "2", "3"]
type = "VirtualMachineScaleSets"
enable_node_public_ip = false
}
network_profile {
network_plugin = "azure"
load_balancer_sku = "standard"
}
identity {
type = "SystemAssigned"
}
addon_profile {
oms_agent {
enabled = true
log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_workspace.id
}
kube_dashboard {
enabled = false
}
azure_policy {
enabled = false
}
}
}
data "azurerm_container_registry" "acr_name" {
name = "myacr"
resource_group_name = "acr_rg"
}
resource "azurerm_role_assignment" "aks_to_acr_role" {
scope = data.azurerm_container_registry.acr_name.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}
azurerm_role_assignment.aks_to_acr_role: Creating...
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
d/resourceGroups/acr_rg/providers/Microsoft.ContainerRegistry/registries/gcrclientacr/providers/Microsoft.Authorization/roleAssignments/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
on main.tf line 91, in resource "azurerm_role_assignment" "aks_to_acr_role":
91: resource "azurerm_role_assignment" "aks_to_acr_role" {