Terraform 地形允许AKS使用ACR_Terraform_Azure Aks_Terraform Provider Azure_Azure Managed Identity_Azure Acr

Terraform 地形允许AKS使用ACR

terraform

Terraform 地形允许AKS使用ACR,terraform,azure-aks,terraform-provider-azure,azure-managed-identity,azure-acr,Terraform,Azure Aks,Terraform Provider Azure,Azure Managed Identity,Azure Acr,这是我的地形代码，用于创建AKS群集并允许其使用我的ACR（在同一订阅中）：我收到此错误（Status=403 Code=“AuthorizationFailed”）：我使用的是托管身份，而不是AKS的主要服务感谢您的帮助。问题在于运行地形代码的服务主体无权将AcrPull角色分配授予AKS托管标识。这是一个广告许可问题要么授予服务主体（执行terraform代码的主体）所有者角色（贡献者不够）或者授予它一个自定义角色，该角色具有执行Microsoft.Authorization/rol

这是我的地形代码，用于创建AKS群集并允许其使用我的ACR（在同一订阅中）：

我收到此错误（Status=403 Code=“AuthorizationFailed”）：

我使用的是托管身份，而不是AKS的主要服务

感谢您的帮助。

问题在于运行地形代码的服务主体无权将AcrPull角色分配授予AKS托管标识。这是一个广告许可问题

要么授予服务主体（执行terraform代码的主体）所有者角色（贡献者不够）或者授予它一个自定义角色，该角色具有执行Microsoft.Authorization/roleAssignments/write操作的权限。

问题在于运行terraform代码的服务主体无权将ACRCULL角色分配授予AKS托管标识。这是一个广告许可问题

要么授予服务主体（执行terraform代码的主体）所有者角色（贡献者是不够的），要么授予其具有执行

Microsoft.Authorization/roleAssignments/write

操作权限的自定义角色。

谢谢，当我添加API权限（Azure数据目录）时，此代码运行良好感谢，当我向terraform的服务主体添加API权限（Azure数据目录）时，这段代码运行良好。

resource "azurerm_kubernetes_cluster" "aks" {
  name                      = var.aks-cluster-name
  location                  = azurerm_resource_group.rg.location
  resource_group_name       = azurerm_resource_group.rg.name
  kubernetes_version        = "1.18.8"
  dns_prefix                = "${var.aks-cluster-name}-dns"

  default_node_pool {
    name                  = "default"
    vm_size               = "Standard_D2_v2"
    enable_auto_scaling   = false
    node_count            = 3
    availability_zones    = ["1", "2", "3"]
    type                  = "VirtualMachineScaleSets"
    enable_node_public_ip = false
  }

  network_profile {
    network_plugin = "azure"
    load_balancer_sku = "standard"
  }

  identity {
    type = "SystemAssigned"
  }

  addon_profile {
    oms_agent {
      enabled                    = true
      log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_workspace.id
    }
    kube_dashboard {
      enabled = false
    }
    azure_policy {
      enabled = false
    }
  }
}

data "azurerm_container_registry" "acr_name" {
  name = "myacr"
  resource_group_name = "acr_rg"
}

resource "azurerm_role_assignment" "aks_to_acr_role" {
  scope                = data.azurerm_container_registry.acr_name.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}

azurerm_role_assignment.aks_to_acr_role: Creating...
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
        d/resourceGroups/acr_rg/providers/Microsoft.ContainerRegistry/registries/gcrclientacr/providers/Microsoft.Authorization/roleAssignments/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
              
    on main.tf line 91, in resource "azurerm_role_assignment" "aks_to_acr_role":
    91: resource "azurerm_role_assignment" "aks_to_acr_role" {