Skip to content

Commit 7000ca5

Browse files
learn-build-service-prod[bot]learn-build-service-prod[bot]
authored
Merge pull request #10162 from MicrosoftDocs/main
Auto Publish – main to live - 2025-11-10 22:00 UTC
2 parents 6716f1a + 683e0ab commit 7000ca5

File tree

2 files changed

+124
-86
lines changed

2 files changed

+124
-86
lines changed

support/azure/azure-kubernetes/error-codes/vmextensionerror-oraspullunauthorized.md

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -37,18 +37,22 @@ To resolve this issue, follow these steps:
3737
export REGISTRY_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'bootstrapProfile.containerRegistryId' -o tsv)
3838
```
3939

40-
3. If the issue is related to a 401 error, check if the kubelet identity has the `acrpull` permission to the ACR by running the following command:
41-
42-
```console
43-
export KUBELET_IDENTITY_PRINCIPAL_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'identityProfile.kubeletidentity.clientId' -o tsv)
44-
```
45-
46-
If not, run the following command:
47-
48-
```console
49-
az role assignment create --role AcrPull --scope ${REGISTRY_ID} --assignee-object-id ${KUBELET_IDENTITY_PRINCIPAL_ID} --assignee-principal-type ServicePrincipal
50-
```
51-
40+
3. If the issue is related to a 401 unauthorized error, you must ensure that the AKS identity has the necessary ACR role to authorize with the registry. You can do so by checking the ACR registry's role assignments to see if there is an existing role assignment for the AKS identity.
41+
42+
To ensure that the AKS identity has permissions to the ACR registry, first obtain the AKS identity's principal ID by running the following command.
43+
44+
```console
45+
export KUBELET_IDENTITY_PRINCIPAL_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'identityProfile.kubeletidentity.clientId' -o tsv)
46+
```
47+
48+
Afterwards, assign the correct ACR role to the AKS identity. If your registry's role assignment permissions mode is "ABAC-enabled" and configured to "RBAC Registry + ABAC Repository Permissions," you must assign the `Container Registry Repository Reader` role. Otherwise, if your registry's role assignment permissions mode is not ABAC-enabled and only configured to "RBAC Registry Permissions," you must assign the `AcrPull` role. Please see https://aka.ms/acr/auth/abac for more information on ABAC-enabled ACR registries and the different roles required.
49+
50+
For ABAC-enabled registries, run the following command. For non-ABAC enabled registries, replace `Container Registry Repository Reader` in the following command with `AcrPull` instead.
51+
52+
```console
53+
az role assignment create --role "Container Registry Repository Reader" --scope ${REGISTRY_ID} --assignee-object-id ${KUBELET_IDENTITY_PRINCIPAL_ID} --assignee-principal-type ServicePrincipal
54+
```
55+
5256
4. If the log error indicates that the identity isn't found, manually bind the kubelet identity to the Virtual Machine Scale Set (VMSS) for a quick fix.
5357

5458
5. If the issue is related to IMDS connection time-out, submit a support ticket.
@@ -63,3 +67,4 @@ To resolve this issue, follow these steps:
6367
- [container registry authentication managed identity](/azure/container-registry/container-registry-authentication-managed-identity)
6468

6569
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
70+

0 commit comments

Comments
 (0)