Private aks and acr in different resource group

Question

I want to have a zero-trust infrastructure, so I need to have aks and acr completely independent and just have a connection for pulling the images. I created a private aks through the azure portal(assign specific vnet to it), and create a private acr too(without principal service). Then I add acrPull role for aks in acr access roles, and after that I add private access through the networking part of acr between them. Unfortunately, when I try az aks check-acr command it returns:

Validating image pull permission: FAILED
[2022-01-19T14:00:37Z] ACR containerregistrymaryam.azurecr.io rejected token exchange: ACR token exchange endpoint returned error status: 403. body:

The current state of permissions and connection is as below: If you have any clue for me please let me know, thanks!

Answer 1

You need the assign the role AcrPull to the Kubelet Identity of your node pool and not to the AKS Identity:

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID